Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · EMR

EMR.4: EMR security configs should encrypt in transit

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EMR.4 check?

EMR.4 checks whether an EMR security configuration (`AWS::EMR::SecurityConfiguration`) enables encryption in transit. It's change-triggered and reports FAILED when a security configuration exists with in-transit encryption disabled — even if no cluster is currently using that configuration.

Why does EMR.4 matter?

EMR frameworks constantly shuffle data between cluster nodes and between the cluster and the applications talking to it, and by default that traffic moves in clear text across your VPC. In-transit encryption (node-to-node and application TLS) is separate from at-rest, so a cluster can have fully encrypted disks and still expose its shuffle traffic on the wire. It maps to NIST SC-8 (transmission confidentiality) and SC-13.

How do I fix EMR.4?

  1. Confirm which security configuration is failing and what it's missing.
  2. Prepare TLS certificates and create a new compliant security configuration (configurations are immutable).
  3. Cut new clusters over to the compliant configuration and retire the old ones.
  4. Add a guardrail so non-compliant configurations can't return.

Remediation script · bash

# Find the highest-impact plaintext-permitting stores across engines.
aws rds describe-db-instances \
  --query 'DBInstances[].DBInstanceIdentifier' --output text
aws elasticache describe-replication-groups \
  --query 'ReplicationGroups[?TransitEncryptionEnabled==`false`].ReplicationGroupId' \
  --output text

# RDS for PostgreSQL: require TLS via rds.force_ssl (static -> needs a reboot).
PG=$(aws rds describe-db-instances --db-instance-identifier prod-orders-pg \
  --query 'DBInstances[].DBParameterGroups[].DBParameterGroupName' --output text)
aws rds modify-db-parameter-group --db-parameter-group-name "$PG" \
  --parameters 'ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot'
aws rds reboot-db-instance --db-instance-identifier prod-orders-pg

# Redshift: require_ssl on a custom cluster parameter group, then reboot.
aws redshift modify-cluster-parameter-group --parameter-group-name analytics-tls \
  --parameters ParameterName=require_ssl,ParameterValue=true
aws redshift reboot-cluster --cluster-identifier analytics-prod

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on database and cache connections.

Full lesson Enforce TLS on database and cache connections Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EMR controls ↗ Check your own account for EMR.4 →
Part of the learning path Encrypt everything

More EMR controls

  • EMR.1 An EMR primary node has a public IP
  • EMR.2 EMR account-level block public access is off
  • EMR.3 EMR security configs should encrypt at rest