Enable data disk encryption for EMR on ECS clusters to protect both data in transit and data at rest without building or maintaining a key management infrastructure. This feature is designed for workloads with security compliance requirements.
Encryption cannot be disabled after it is enabled. Enable this feature only when it is necessary.
Prerequisites
Before you begin, ensure that you have:
-
Key Management Service (KMS) activated
-
A customer master key (CMK) created in KMS
For setup instructions, see Purchase a dedicated KMS instance and Create a CMK.
Limitations
| Limitation | Details |
|---|---|
| Supported disk types | Enhanced SSD, standard SSD, and ultra disk. Local disks cannot be encrypted. |
| Timing | Encryption can only be enabled at cluster creation time. It cannot be enabled for an existing cluster. |
Enable data disk encryption
-
Log on to the EMR on ECS console.
-
In the top navigation bar, select a region and a resource group.
The region cannot be changed after the cluster is created. All resource groups in your account are displayed by default.
-
Click Create Cluster.
-
In the Basic Configuration step, click the
icon in the Advanced Settings section. -
Turn on Data Disk Encryption and select a key from the drop-down list.
-
Complete the remaining cluster configuration and confirm the order. For details on all configuration options, see Create a cluster.
What's next
-
Encryption overview — learn how data disk encryption works, including the envelope encryption model used by KMS.