This preview shows page 175 - 177 out of 395 pages.
You can use the AWS Management Console to add the EMR service role to the list of key users for thespecified AWS KMS CMK, or you can use the AWS CLI or an AWS SDK to attach an appropriate key policy.The procedure below describes how to add the default EMR service role, EMR_DefaultRoleas a keyuserusing the AWS Management Console. It assumes that you have already created a CMK. To create anew CMK, see Creating Keys in the AWS Key Management Service Developer Guide.To add the EMR service role to the list of encryption key users1.Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS)console at .2.To change the AWS Region, use the Region selector in the upper-right corner of the page.3.Select the alias of the CMK to modify.4.On the key details page under Key Users, choose Add.5.In the Add key usersdialog box, select the appropriate role. The name of the default EMR servicerole is EMR_DefaultRole.6.Choose Add.Creating a Custom Key ProviderWhen using a security configuration, you must specify a different provider class name for local diskencryption and Amazon S3 encryption.When you create a custom key provider, the application is expected to implement theEncryptionMaterialsProvider interface, which is available in the AWS SDK for Java version 1.11.0 andlater. The implementation can use any strategy to provide encryption materials. You may, for example,choose to provide static encryption materials or integrate with a more complex key management system.169
Amazon EMR Management GuideEncrypt Data at Rest and in TransitThe encryption algorithm used for custom encryption materials must be AES/GCM/NoPadding.The EncryptionMaterialsProvider class gets encryption materials by encryption context. Amazon EMRpopulates encryption context information at runtime to help the caller determine the correct encryptionmaterials to return.Example Example: Using a Custom Key Provider for Amazon S3 Encryption with EMRFSWhen Amazon EMR fetches the encryption materials from the EncryptionMaterialsProvider classto perform encryption, EMRFS optionally populates the materialsDescription argument with twofields: the Amazon S3 URI for the object and the JobFlowId of the cluster, which can be used by theEncryptionMaterialsProvider class to return encryption materials selectively.For example, the provider may return different keys for different Amazon S3 URI prefixes. It is thedescription of the returned encryption materials that is eventually stored with the Amazon S3object rather than the materialsDescription value that is generated by EMRFS and passed to theprovider. While decrypting an Amazon S3 object, the encryption materials description is passed to theEncryptionMaterialsProvider class, so that it can, again, selectively return the matching key to decryptthe object.
As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.
Temple University Fox School of Business ‘17, Course Hero Intern
I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.
University of Pennsylvania ‘17, Course Hero Intern
The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.
Tulane University ‘16, Course Hero Intern
Stuck? We have tutors online 24/7 who can help you get unstuck.
Ask Expert Tutors
You can ask
You can ask
You can ask
(will expire )