Control: EMR cluster local disks should be encrypted with CMK
Description
Ensure EMR cluster local disk are encrypted using CMK. This control fails if an EMR cluster local disk isn't encrypted with CMK.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.emr_cluster_local_disk_encrypted_with_cmkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.emr_cluster_local_disk_encrypted_with_cmk --shareSQL
This control uses a named query:
select cluster_arn as resource, case when s.name is null then 'alarm' when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is null then 'alarm' when s.name is not null and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is not null and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EncryptionKeyProviderType') = 'Custom' then 'ok' else 'alarm' end as status, case when s.name is null then c.title || ' security configuration disabled.' when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is null then c.title || ' local disk not encrypted.' when s.name is not null and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is not null and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EncryptionKeyProviderType') = 'Custom' then c.title || ' local disk encrypted with CMK.' else c.title || ' local disk not encrypted with CMK.' end as reason , c.region, c.account_idfrom aws_emr_cluster as c left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id;