Security - Real-Time Analytics with Spark Streaming

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Security Center.

Security Groups

The security groups created in this solution are designed to control and isolate network traffic between the Kinesis sample data producer, the Amazon EMR cluster and the bastion host. We recommend that you review the security groups and further restrict access as needed once the deployment is up and running.

Security at Rest for Amazon EMR

Security configurations are Amazon EMR templates that can be used to configure data encryption, Kerberos authentication, and Amazon Simple Storage Service (Amazon S3) authorization for EMRFS. The solution creates a security configuration that enables:

  • At-rest encryption for EMRFS data in Amazon S3 with Amazon S3-managed encryption keys (SSE – S3)

  • At-rest encryption for local disks (Amazon Elastic Block Store root device and storage volumes) with an AWS Key Management Service customer master key (CMK)

However, the solution-created configuration does not enable in-transit encryption because this setting requires either a PEM file or a custom certificate-provider JAR file. You can use a trusted certification authority (CA) to issue certificates. For information about security certificates, see Providing Certificates for Encrypting Data in Transit with Amazon EMR Encryption in the Amazon EMR Management Guide.