---
title: EMR security configuration encryption disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > EMR security configuration encryption disabled
---

# EMR security configuration encryption disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-emr-security-configuration-encryptions-enabled` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Medium

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html)

### Description{% #description %}

EMR `SecurityConfiguration` must enable encryption at rest and in transit to prevent unauthorized access to data stored on cluster disks and to protect data in flight between EMR nodes from interception.

For CloudFormation, resources of type `AWS::EMR::SecurityConfiguration` must define `SecurityConfiguration.EncryptionConfiguration` with `EnableAtRestEncryption` set to `true` and `EnableInTransitEncryption` set to `true`. The `AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption` property must be set to `true`, and `EncryptionKeyProviderType` must be defined. Resources missing `EncryptionConfiguration`, with any of those booleans set to `false`, or without a defined `EncryptionKeyProviderType` will be flagged.

Secure CloudFormation example:

```yaml
MyEMRSecurityConfiguration:
  Type: AWS::EMR::SecurityConfiguration
  Properties:
    SecurityConfiguration:
      EncryptionConfiguration:
        EnableAtRestEncryption: true
        EnableInTransitEncryption: true
        AtRestEncryptionConfiguration:
          LocalDiskEncryptionConfiguration:
            EnableEbsEncryption: true
            EncryptionKeyProviderType: AwsKms
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
#this code is a correct code for which the query should not find any result
#this is a problematic code where the query should report a result(s)
Resources:
  EMRSecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           EnableInTransitEncryption: true
           EnableAtRestEncryption: true
           AtRestEncryptionConfiguration:
             LocalDiskEncryptionConfiguration:
                 EnableEbsEncryption: true
                 EncryptionKeyProviderType: AwsKms
                 AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
```

```yaml
Resources:
  EMRSecurityConfiguration01:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           AtRestEncryptionConfiguration:
             LocalDiskEncryptionConfiguration:
                 EnableEbsEncryption: true
                 EncryptionKeyProviderType: AwsKms
                 AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
```

```yaml
Resources:
  EMRSecurityConfiguration02:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           EnableInTransitEncryption: true
           EnableAtRestEncryption: true
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
Resources:
  EMRSecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           EnableInTransitEncryption: false
           EnableAtRestEncryption: false
           AtRestEncryptionConfiguration:
             LocalDiskEncryptionConfiguration:
                 EnableEbsEncryption: true
                 EncryptionKeyProviderType: AwsKms
                 AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
```

```yaml
Resources:
  EMRSecurityConfiguration01:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           AtRestEncryptionConfiguration:
             LocalDiskEncryptionConfiguration:
                 EnableEbsEncryption: false
```

```yaml
Resources:
  EMRSecurityConfiguration03:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           EnableInTransitEncryption: false
           EnableAtRestEncryption: false
```