Encrypting logs - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Encrypting logs

To encrypt logs, specify the KMS keys in the managedPersistenceMonitoringConfiguration configuration if you're using managed storage, and the s3MonitoringConfiguration configuration if you're using S3.

Managed storage

  1. To encrypt logs for managed storage from the Amazon CLI, specify the KMS keys in the managedPersistenceMonitoringConfiguration configuration when you submit a job run.

    { "monitoringConfiguration": { "managedPersistenceMonitoringConfiguration" : { "encryptionKeyArn": "key-arn" } } }

    To use a KMS key to protect your logs, include the following permissions in the KMS key's policy. This policy will provide kms:GenerateDataKey and kms:Decrypt the necessary permissions to the emr-serverless.amazonaws.com service principal.

    { "Effect": "Allow", "Principal":{ "Service": "emr-serverless.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" "Condition": { "StringLike": { "aws:SourceArn": "arn:aws:emr-serverless:region:aws-account-id:/applications/application-id" } } }

    As a security best practice, add an aws:SourceArn condition key to the KMS key policy. The IAM global condition key aws:SourceArn helps ensure that EMR Serverless uses the KMS key only for an application ARN.

  2. To ensure that the job runtime role has key access, include the following permissions in the permissions policy for the job runtime role.

    { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "key-arn" } }
  3. To ensure that the job submitter has key access, update either the KMS key policy or the user's IAM policy. If the job submitter doesn't have key access, EMR Serverless will reject the request.

    Key policy

    The following key policy provides the job submitter with permissions to kms:GenerateDataKey and kms:Decrypt.

    { "Effect": "Allow", "Principal":{ "AWS": "arn:aws:iam::aws-account-id:user/user-name" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*" }

    IAM policy

    The following IAM policy provides the job submitter with permissions to kms:GenerateDataKey and kms:Decrypt.

    { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "key-arn" } }

Amazon S3 buckets

To enable encryption for your S3 bucket from the Amazon CLI, use the following s3MonitoringConfiguration configuration when you submit a job run.

{ "monitoringConfiguration": { "s3MonitoringConfiguration": { "logUri": "s3://DOC-EXAMPLE-BUCKET-LOGGING/logs/", "encryptionKeyArn": "key-arn" } } }

Key policy

To ensure that the job runtime role has key access, include the following permissions in the job runtime role's permissions policy.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "key-arn" } }