turbot/aws_compliance

Query: emr_cluster_encryption_at_rest_with_cse_cmk

Usage

powerpipe query aws_compliance.query.emr_cluster_encryption_at_rest_with_cse_cmk

SQL

select
cluster_arn as resource,
case
when s.name is null then 'alarm'
when not (encryption_configuration -> 'EnableAtRestEncryption')::bool then 'alarm'
when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'CSE-Custom' then 'ok'
else 'alarm'
end as status,
case
when s.name is null then c.title || ' security configuration disabled.'
when not (encryption_configuration -> 'EnableAtRestEncryption')::bool then c.title || ' encryption at rest disabled.'
when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'CSE-Custom' then c.title || ' encryption at rest enabled with CSE-CMK.'
else c.title || ' encryption at rest not enabled with CSE-CMK.'
end as reason
, c.region, c.account_id
from
aws_emr_cluster as c
left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id;

Controls

The query is being used by the following controls: