4

I have the below situation for my EMR, can someone please guide how to go about to configure the same?

EMR Cluster performs multiple operations across the data pipeline:

  1. EMR write to S3BUCKET1 with KMSKEY1
  2. EMR write to S3BUCKET2 with KMSKEY2

How do I configure the above in EMR? Only options I am aware to config EMR is at emrfs-site.xml & /etc/hadoop/conf.empty/core-site.xml

These have the tags fs.s3.serverSideEncryption.kms.keyId

How do I achieve my requirement with above KMS keys? I need to switch between KMS keys for different bucket write.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Richard
  • 381
  • 2
  • 4
  • 22

1 Answers1

0

You can attach encrypt/decrypt permission to EMR_EC2_DefaultRole 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:*",
            "Resource": [
            ...
            ]
        }
    ]
}

Specify you keys in resources and attach it to the role.

gorros
  • 1,411
  • 1
  • 18
  • 29