turbot/aws_compliance

Query: emr_cluster_local_disk_encrypted_with_cmk

Usage

powerpipe query aws_compliance.query.emr_cluster_local_disk_encrypted_with_cmk

SQL

select
cluster_arn as resource,
case
when s.name is null then 'alarm'
when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is null then 'alarm'
when s.name is not null
and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is not null
and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EncryptionKeyProviderType') = 'Custom' then 'ok'
else 'alarm'
end as status,
case
when s.name is null then c.title || ' security configuration disabled.'
when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is null then c.title || ' local disk not encrypted.'
when s.name is not null
and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is not null
and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EncryptionKeyProviderType') = 'Custom' then c.title || ' local disk encrypted with CMK.'
else c.title || ' local disk not encrypted with CMK.'
end as reason
, c.region, c.account_id
from
aws_emr_cluster as c
left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id;

Controls

The query is being used by the following controls: