System disk encryption protects the operating system, program files, and other system-related data on an E-MapReduce (EMR) cluster's system disk. If your business has security compliance requirements, enable this feature to safeguard data privacy and security without building or maintaining a key management infrastructure.
System disk encryption cannot be disabled after it is enabled. Enable this feature only when your use case requires it.
Prerequisites
Before you begin, ensure that you have:
Key Management Service (KMS) activated. See Purchase a dedicated KMS instance.
A customer master key (CMK) created. See Create a CMK.
Limitations
| Constraint | Details |
|---|---|
| Supported disk types | Enterprise SSDs (ESSDs), standard SSDs, and ultra disks. Local disks cannot be encrypted. |
| Timing | Encryption can only be enabled at cluster creation time. You cannot enable it on an existing cluster. |
Enable system disk encryption
Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
On the EMR on ECS page, click Create Cluster.
In the Basic Configuration step, click the
icon in the Advanced Settings section.Turn on System Disk Encryption and select a CMK from the drop-down list.
Complete the remaining cluster configuration — software and hardware settings, basic information, and order confirmation. For details, see Create a cluster.