For more information see Specifying a Custom AMI p 94 and Creating a Custom AMI

For more information see specifying a custom ami p 94

This preview shows page 103 - 105 out of 395 pages.

For more information, see Specifying a Custom AMI (p. 94) and Creating a Custom AMI with an Encrypted Amazon EBS Root Device Volume (p. 97) . Creating a Custom AMI with an Encrypted Amazon EBS Root Device Volume To encrypt the Amazon EBS root device volume of an Amazon Linux AMI for Amazon EMR, copy a snapshot image from an unencrypted AMI to an encrypted target. For information about creating encrypted EBS volumes, see Amazon EBS encryption in the Amazon EC2 User Guide for Linux Instances . The source AMI for the snapshot can be the base Amazon Linux AMI, or you can copy a snapshot from an AMI derived from the base Amazon Linux AMI that you customized. Note Beginning with Amazon EMR version 5.24.0, you can use a security configuration option to encrypt EBS root device and storage volumes when you specify AWS KMS as your key provider. For more information, see Local Disk Encryption (p. 166) . You can use an external key provider or an AWS customer master key (CMK) to encrypt the EBS root volume. The service role that Amazon EMR uses (usually the default EMR_DefaultRole ) must be allowed to encrypt and decrypt the volume, at minimum, for Amazon EMR to create a cluster using the AMI. When using AWS KMS as the key provider, this means that the following actions must be allowed: kms:encrypt kms:decrypt kms:ReEncrypt* kms:CreateGrant kms:GenerateDataKeyWithoutPlaintext" kms:DescribeKey" The easiest way to do this is to add the role as a key user as described in the following tutorial. The following example policy statement is provided if you need to customize role policies. { "Version": "2012-10-17", "Statement": [ { "Sid": "EmrDiskEncryptionPolicy", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:CreateGrant", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ], "Resource": [ "*" ] } ] } 97
Image of page 103
Amazon EMR Management Guide Specifying the Amazon EBS Root Device Volume Size Tutorial: Creating a Custom AMI with an Encrypted Root Device Volume Using a KMS CMK The first step in this example is to find the ARN of a KMS CMK or create a new one. For more information about creating keys, see Creating Keys in the AWS Key Management Service Developer Guide . The following procedure shows you how to add the default service role, EMR_DefaultRole , as a key user to the key policy. Write down the ARN value for the key as you create or edit it. You use the ARN later, when you create the AMI. To add the service role for Amazon EC2 to the list of encryption key users using the console 1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at . 2. To change the AWS Region, use the Region selector in the upper-right corner of the page. 3. Choose the alias of the CMK to use. 4. On the key details page under Key Users , choose Add .
Image of page 104
Image of page 105

You've reached the end of your free preview.

Want to read all 395 pages?

  • Spring '12
  • LauraParker
  • Amazon Web Services, Amazon Elastic Compute Cloud

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes