EMR Security Configuration Encryption Disabled
- Query id: 5b033ec8-f079-4323-b5c8-99d4620433a9
- Query name: EMR Security Configuration Encryption Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- URL: Github
Description¶
EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
EMRSecurityConfiguration:
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration:
EncryptionConfiguration:
EnableInTransitEncryption: false
EnableAtRestEncryption: false
AtRestEncryptionConfiguration:
LocalDiskEncryptionConfiguration:
EnableEbsEncryption: true
EncryptionKeyProviderType: AwsKms
AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Positive test num. 2 - yaml file
Resources:
EMRSecurityConfiguration01:
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration:
EncryptionConfiguration:
AtRestEncryptionConfiguration:
LocalDiskEncryptionConfiguration:
EnableEbsEncryption: false
Positive test num. 3 - yaml file
Resources:
EMRSecurityConfiguration03:
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration:
EncryptionConfiguration:
EnableInTransitEncryption: false
EnableAtRestEncryption: false
Positive test num. 4 - yaml file
Positive test num. 5 - json file
{
"Resources": {
"EMRSecurityConfiguration": {
"Type": "AWS::EMR::SecurityConfiguration",
"Properties": {
"Name": "String",
"SecurityConfiguration": {
"EncryptionConfiguration": {
"EnableInTransitEncryption": false,
"EnableAtRestEncryption": false,
"AtRestEncryptionConfiguration": {
"LocalDiskEncryptionConfiguration": {
"EnableEbsEncryption": true,
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
}
}
}
}
}
}
}
Positive test num. 6 - json file
Positive test num. 7 - json file
Positive test num. 8 - json file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
#this is a problematic code where the query should report a result(s)
Resources:
EMRSecurityConfiguration:
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration:
EncryptionConfiguration:
EnableInTransitEncryption: true
EnableAtRestEncryption: true
AtRestEncryptionConfiguration:
LocalDiskEncryptionConfiguration:
EnableEbsEncryption: true
EncryptionKeyProviderType: AwsKms
AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Negative test num. 2 - yaml file
Resources:
EMRSecurityConfiguration01:
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration:
EncryptionConfiguration:
AtRestEncryptionConfiguration:
LocalDiskEncryptionConfiguration:
EnableEbsEncryption: true
EncryptionKeyProviderType: AwsKms
AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Negative test num. 3 - yaml file
Resources:
EMRSecurityConfiguration02:
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration:
EncryptionConfiguration:
EnableInTransitEncryption: true
EnableAtRestEncryption: true
Negative test num. 4 - json file
{
"Resources": {
"EMRSecurityConfiguration": {
"Type": "AWS::EMR::SecurityConfiguration",
"Properties": {
"Name": "String",
"SecurityConfiguration": {
"EncryptionConfiguration": {
"EnableInTransitEncryption": true,
"EnableAtRestEncryption": true,
"AtRestEncryptionConfiguration": {
"LocalDiskEncryptionConfiguration": {
"AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
"EnableEbsEncryption": true,
"EncryptionKeyProviderType": "AwsKms"
}
}
}
}
}
}
}
}
Negative test num. 5 - json file
{
"Resources": {
"EMRSecurityConfiguration01": {
"Type": "AWS::EMR::SecurityConfiguration",
"Properties": {
"Name": "String",
"SecurityConfiguration": {
"EncryptionConfiguration": {
"AtRestEncryptionConfiguration": {
"LocalDiskEncryptionConfiguration": {
"EnableEbsEncryption": true,
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
}
}
}
}
}
}
}