With Amazon EMR, you should utilize a safety configuration to specify settings for encrypting information in transit. When in-transit encryption is configured, you may allow application-specific encryption options, for instance:
- Hadoop HDFS NameNode or DataNode consumer interfaces use HTTPS
- Hadoop MapReduce encrypted shuffle makes use of Transport Layer Safety (TLS)
- Presto nodes inner communication makes use of SSL/TLS (Amazon EMR model 5.6.0 and later solely)
- Spark part inner RPC communication, such because the block switch service and the exterior shuffle service, is encrypted utilizing the AES-256 cipher in Amazon EMR variations 5.9.0 and later
- HTTP protocol communication with consumer interfaces akin to Spark Historical past Server and HTTPS-enabled file servers is encrypted utilizing Spark’s SSL configuration
The safety configuration of Amazon EMR means that you can arrange TLS certificates to encrypt information in transit. A safety configuration supplies the next choices to specify TLS certificates:
- As a path to a .zip file in an Amazon Easy Storage Service (Amazon S3) bucket that incorporates all certificates
- Via a customized certificates supplier as a Java class
In lots of instances, firm safety insurance policies prohibit storing any sort of delicate data in an S3 bucket, together with certificates non-public keys. For that purpose, the one remaining choice to safe information in transit on Amazon EMR is to configure the customized certificates supplier.
On this publish, I information you thru the configuration course of and supply Java code samples to safe information in transit on Amazon EMR by storing TLS customized certificates utilizing AWS Secrets and techniques Supervisor.
Secrets and techniques Supervisor helps you defend secrets and techniques wanted to entry your purposes, providers, and IT assets. The service lets you simply rotate, handle, and retrieve database credentials, API keys, and different secrets and techniques all through their lifecycle. Customers and purposes retrieve secrets and techniques with a name to Secrets and techniques Supervisor APIs, eliminating the necessity to hardcode delicate data in plain textual content.
Answer overview
The next diagram illustrates the answer structure.
Throughout an EMR cluster begin, if a customized certificates supplier is configured for in-transit encryption, the supplier is named to get the certificates. A customized certificates supplier is a Java class that implements the TLSArtifactsProvider interface.
To make this answer work, you want a safe place to retailer certificates that may also be accessed by Java code. This publish makes use of Secrets and techniques Supervisor, which supplies a mechanism for managing certificates, and encrypts them utilizing AWS Key Administration Service (AWS KMS) keys.
To implement this answer, you full the next high-level steps:
- Create a certificates.
- Retailer your certificates to Secrets and techniques Supervisor.
- Create a secret for a non-public key.
- Create a secret for a public key.
- Implement
TLSArtifactsProvider. - Create the Amazon EMR safety configuration.
- Modify the Amazon Elastic Compute Cloud (Amazon EC2) occasion profile position to get the certificates from Secrets and techniques Supervisor.
- Begin the Amazon EMR cluster.
Create a certificates
For demonstration functions, this publish makes use of OpenSSL to create a self-signed certificates. See the next code:
This command creates a self-signed, 4096-bit certificates. For manufacturing methods, we advocate utilizing a trusted certificates authority (CA) to concern certificates.
The command above has the next parameters:
- keyout – The output file by which to retailer the non-public key.
- out – The output file by which to retailer the certificates.
- days – The variety of days for which to certify the certificates.
- subj – The topic identify for a brand new request. The frequent identify (CN) should match the area identify laid out in DHCP that’s assigned to the digital non-public cloud (VPC). The default is
ec2.inner. The * prefix is the wildcard certificates. - nodes – Means that you can create a non-public key and not using a password, which is with out encryption.
The output of OpenSSL features a pair of keys—one non-public and one public:
- privateKey.pem – SSL non-public key certificates
- certificateChain.pem – SSL public key certificates
Retailer your certificates to Secrets and techniques Supervisor
On this part, we stroll by the steps to create secrets and techniques for a non-public key and a public key.
Create a secret for a non-public key
To create a secret for a non-public key, full the next steps:
- On the Secrets and techniques Supervisor console, select Retailer a brand new secret.
- For the key sort, choose Different sort of secrets and techniques.
- On the Plaintext tab within the Key/worth pairs part, copy the content material from
privateKey.pem.
- For Encryption key, select DefaultEncryptionKey.
- Select Subsequent.
- For Secret identify, enter
emrprivate. - For Useful resource permissions, optionally add or edit a useful resource coverage to entry secrets and techniques throughout AWS accounts. For extra data, consult with Permissions coverage examples.
- Select Subsequent.
- Select Retailer.
Create a secret for a public key
To create a secret for a public key, full the next steps:
- On the Secrets and techniques Supervisor console, select Retailer a brand new secret.
- For the key sort, choose Different sort of secrets and techniques.
- On the Plaintext tab within the Key/worth pairs part, copy the content material from
certificateChain.pem.
- For Encryption key, select DefaultEncryptionKey.
- Select Subsequent.
- For Secret identify, enter
emrcert. - For Useful resource permissions, optionally add or edit a useful resource coverage to entry secrets and techniques throughout AWS accounts.
- Select Subsequent.
- Select Retailer.
Implement TLSArtifactsProvider
This part describes the circulation within the Java code solely. You may obtain the total code from GitHub.
The interface makes use of the getTlsArtifacts technique, which expects certificates in return:
Within the offered code instance, we implement the next logic:
The parameters are as follows:
- init() – Contains the next:
- readTags() – Reads the key ARNs from the Amazon EMR tags
- getCertificates() – Will get the certificates from Secrets and techniques Supervisor
- getX509FromString() – Converts certificates to an X509 format
- getPrivateKey() – Converts the non-public key to the proper format
Compile the Java challenge, and you’ll get the file emr-tls-provider-samples-0.1-jar-with-dependencies.jar. Alternatively you may obtain the JAR file from GitHub.
Create the Amazon EMR safety configuration
To create the Amazon EMR safety configuration, full the next steps:
- Add the
emr-tls-provider-samples-0.1-jar-with-dependencies.jarfile to an S3 bucket. - On the Amazon EMR console, select Safety configurations, then select Create.
- Enter a reputation on your new safety configuration; for instance,
emr-tls-ssm. - Choose Allow in-transit encryption.
- For Certificates supplier sort, select Customized.
- For Customized key supplier location, enter the Amazon S3 path to the Java JAR file.
- For Certificates supplier class, enter the identify of the Java class. Within the instance code, the identify is
com.amazonaws.awssamples.EmrTlsFromSecretsManager.
- Configure the at-rest encryption as required.
- Select Create.
Modify the EC2 occasion profile position
Purposes operating on Amazon EMR assume and use the Amazon EMR position for Amazon EC2 to work together with different AWS providers. To grant permissions to get certificates from Secrets and techniques Supervisor, add the next coverage to your EC2 occasion profile position:
Ensure you restrict the scope of the Secrets and techniques Supervisor coverage to solely the certificates which are required for provisioning.
Begin the cluster
To reuse the identical Java JAR file with totally different certificates and configurations, you may present secret ARNs to EmrTlsFromSecretsManager by Amazon EMR tags, slightly than embedding them in Java code.
On this instance, we use the next tags:
- sm:ssl:emrcert – The ARN of the Secrets and techniques Supervisor parameter key storing the CA-signed certificates
- sm:ssl:emrprivate – The ARN of the Secrets and techniques Supervisor parameter key storing the CA-signed certificates non-public key
Validation
After the cluster is began efficiently, you’ll be able to entry the HDFS NameNode and DataNode UI through HTTPS. For extra data, see View net interfaces hosted on Amazon EMR clusters.
Clear Up
When you don’t want the assets you created within the earlier steps, you may delete the Secrets and techniques Supervisor secrets and techniques and EMR cluster with a purpose to keep away from extra costs.
- On the Secrets and techniques Supervisor console, choose the secrets and techniques you created.
- On the Actions menu, select Delete secret.This doesn’t robotically delete the secrets and techniques, as a result of you must set a ready interval that enables for the secrets and techniques to be restored, if wanted. The minimal time is 7 days.
- On the Amazon EMR console, choose the cluster you created.
- Select Terminate.
The method of deleting the EMR cluster takes a couple of minutes to finish.
Conclusion
On this publish, we demonstrated the right way to create your customized Amazon EMR TLSArtifactsProvider interface and use Secrets and techniques Supervisor to retailer certificates. This lets you outline a safer strategy to retailer and use certificates for Amazon EMR in-transit information encryption.
Concerning the creator
Hao Wang is a Senior Large Knowledge Architect at AWS. Hao actively works with clients constructing giant scale information platforms on AWS. He has a background as a software program architect on implementing distributed software program methods. In his spare time, he enjoys studying and outside actions together with his household.
