AWS CloudFormation
User Guide (API Version 2010-05-15)


The AWS::EMR::SecurityConfiguration resource creates a security configuration that is stored in the Amazon EMR web service. You can specify the security configuration when creating a cluster. For more information, see Specifying Amazon EMR Encryption Options Using a Security Configuration in the Amazon EMR Release Guide.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::EMR::SecurityConfiguration", "Properties" : { "Name" : String, "SecurityConfiguration" : String } }


Type: AWS::EMR::SecurityConfiguration Properties: Name: String SecurityConfiguration: String


For more information about each property, including constraints and valid values, see CreateSecurityConfiguration in the Amazon EMR API Reference.


The name of the security configuration. For a list of valid parameters for encryption settings, see AWS CLI Security Configuration JSON Reference in the Amazon EMR Release Guide.

Required: No

Type: String

Update requires: Replacement


The security configuration details in JSON format.

Required: Yes

Type: String

Update requires: Replacement

Return Values


When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the security configuration name, such as mySecurityConfiguration.

For more information about using the Ref function, see Ref.


The following example enables both in-transit data encryption and local disk encryption, as well as specifying Kerberos attributes. For additional encryption configuration examples, see Creating a Security Configuration Using the AWS CLI in the Amazon EMR Release Guide.


{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "securityConfiguration": { "Type": "AWS::EMR::SecurityConfiguration", "Properties": { "SecurityConfiguration": { "EncryptionConfiguration": { "EnableInTransitEncryption": true, "EnableAtRestEncryption": true, "InTransitEncryptionConfiguration": { "TLSCertificateConfiguration": { "CertificateProviderType": "PEM", "S3Object": "arn:aws:s3:::MyConfigStore/artifacts/" } }, "AtRestEncryptionConfiguration": { "S3EncryptionConfiguration": { "EncryptionMode": "SSE-KMS", "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" }, "LocalDiskEncryptionConfiguration": { "EncryptionKeyProviderType": "AwsKms", "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" } } }, "AuthenticationConfiguration": { "KerberosConfiguration": { "Provider": "ClusterDedicatedKdc", "ClusterDedicatedKdcConfiguration": { "TicketLifetimeInHours": 24, "CrossRealmTrustConfiguration": { "Realm": "AD.DOMAIN.COM", "Domain": "", "AdminServer": "", "KdcServer": "" } } } } } } } } }


AWSTemplateFormatVersion: 2010-09-09 Resources: securityConfiguration: Type: AWS::EMR::SecurityConfiguration Properties: SecurityConfiguration: EncryptionConfiguration: EnableInTransitEncryption: true EnableAtRestEncryption: true InTransitEncryptionConfiguration: TLSCertificateConfiguration: CertificateProviderType: PEM S3Object: 'arn:aws:s3:::MyConfigStore/artifacts/' AtRestEncryptionConfiguration: S3EncryptionConfiguration: EncryptionMode: SSE-KMS AwsKmsKey: >- arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 LocalDiskEncryptionConfiguration: EncryptionKeyProviderType: AwsKms AwsKmsKey: >- arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 AuthenticationConfiguration: KerberosConfiguration: Provider: ClusterDedicatedKdc ClusterDedicatedKdcConfiguration: TicketLifetimeInHours: 24 CrossRealmTrustConfiguration: Realm: AD.DOMAIN.COM Domain: AdminServer: KdcServer: