AWS Config Rule: EMR Kerberos Enabled

Description: Checks if Amazon EMR clusters have Kerberos enabled. The rule is NON_COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters.

Trigger type: Periodic

AWS Region: All supported AWS regions except Canada West (Calgary) Region

To resolve this manually, you will first need to create a new security configuration. This can be completed from the Amazon EMR section of the AWS Console, if you take a look at the left hand side tabs, you will see the header Security Configurations, if you enter here you can create a new config.

The setting you want to pay attention to is called Authentication, which allows you so enable Kerberos Authentication and gives you the option to choose providers as well as define an external KDC should that fit your requirements.

Now with this newly created Security Configuration, we can apply this to our EMR Cluster. When creating your new EMR Cluster, if you toggle to Advanced Options in the Console, you will see in Step 4: Security the options to choose this Security Configuration. Here you can configure the Realm endpoint and KDC admin password.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here