Amazon EMR
Amazon EMR Release Guide

Enabling Data Encryption with Amazon EMR

You have two ways to enable encryption and specify options in Amazon EMR. The preferred method is to use security configurations, which are available beginning with Amazon EMR version 4.8.0 and later, or you can use a cluster configuration to specify Amazon S3 encryption with EMR File System (EMRFS). For information about using security configurations, see Specifying Encryption Options Using a Security Configuration.


We recommend against specifying Amazon S3 encryption options individually with a cluster configuration. Using security configurations simplifies setup, allows you to reuse security configurations, and provides additional encryption options. If you configure Amazon S3 encryption using both a cluster configuration and a security configuration, the security configuration overrides the cluster configuration.

Before you specify encryption options, decide on the provider you want to use for keys and encryption artifacts (for example, AWS KMS or a custom provider that you create) and create the keys or key provider as required.