**1. To create a security configuration with in-transit encryption enabled with PEM for certificate provider, and at-rest encryption enabled with SSE-S3 for S3 encryption and AWS-KMS for local disk key provider**
- Command::
aws emr create-security-configuration --name MySecurityConfig --security-configuration '{
"EncryptionConfiguration": {
"EnableInTransitEncryption" : true,
"EnableAtRestEncryption" : true,
"InTransitEncryptionConfiguration" : {
"TLSCertificateConfiguration" : {
"CertificateProviderType" : "PEM",
"S3Object" : "s3://mycertstore/artifacts/MyCerts.zip"
}
},
"AtRestEncryptionConfiguration" : {
"S3EncryptionConfiguration" : {
"EncryptionMode" : "SSE-S3"
},
"LocalDiskEncryptionConfiguration" : {
"EncryptionKeyProviderType" : "AwsKms",
"AwsKmsKey" : "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
}
}
}'
- Output::
{
"CreationDateTime": 1474070889.129,
"Name": "MySecurityConfig"
}
- JSON equivalent (contents of security_configuration.json)::
{
"EncryptionConfiguration": {
"EnableInTransitEncryption": true,
"EnableAtRestEncryption": true,
"InTransitEncryptionConfiguration": {
"TLSCertificateConfiguration": {
"CertificateProviderType": "PEM",
"S3Object": "s3://mycertstore/artifacts/MyCerts.zip"
}
},
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
}
}
}
- Command (using security_configuration.json)::
aws emr create-security-configuration --name "MySecurityConfig" --security-configuration file://./security_configuration.json
- Output::
{
"CreationDateTime": 1474070889.129,
"Name": "MySecurityConfig"
}
**2. To create a security configuration with Kerberos enabled using cluster-dedicated KDC and cross-realm trust**
- Command::
aws emr create-security-configuration --name MySecurityConfig --security-configuration '{
"AuthenticationConfiguration": {
"KerberosConfiguration": {
"Provider": "ClusterDedicatedKdc",
"ClusterDedicatedKdcConfiguration": {
"TicketLifetimeInHours": 24,
"CrossRealmTrustConfiguration": {
"Realm": "AD.DOMAIN.COM",
"Domain": "ad.domain.com",
"AdminServer": "ad.domain.com",
"KdcServer": "ad.domain.com"
}
}
}
}
}'
- Output::
{
"CreationDateTime": 1490225558.982,
"Name": "MySecurityConfig"
}
- JSON equivalent (contents of security_configuration.json)::
{
"AuthenticationConfiguration": {
"KerberosConfiguration": {
"Provider": "ClusterDedicatedKdc",
"ClusterDedicatedKdcConfiguration": {
"TicketLifetimeInHours": 24,
"CrossRealmTrustConfiguration": {
"Realm": "AD.DOMAIN.COM",
"Domain": "ad.domain.com",
"AdminServer": "ad.domain.com",
"KdcServer": "ad.domain.com"
}
}
}
}
}
- Command (using security_configuration.json)::
aws emr create-security-configuration --name "MySecurityConfig" --security-configuration file://./security_configuration.json
- Output::
{
"CreationDateTime": 1490225558.982,
"Name": "MySecurityConfig"
}
