Creates a security configuration, which is stored in the service and can be specified when a cluster is created.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
create-security-configuration
--name <value>
--security-configuration <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--name
(string)
The name of the security configuration.
--security-configuration
(string)
The security configuration details in JSON format. For JSON parameters and examples, see Use Security Configurations to Set Up Cluster Security in the Amazon EMR Management Guide .
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
1. To create a security configuration with in-transit encryption enabled with PEM for certificate provider, and at-rest encryption enabled with SSE-S3 for S3 encryption and AWS-KMS for local disk key provider
Command:
aws emr create-security-configuration --name MySecurityConfig --security-configuration '{
"EncryptionConfiguration": {
"EnableInTransitEncryption" : true,
"EnableAtRestEncryption" : true,
"InTransitEncryptionConfiguration" : {
"TLSCertificateConfiguration" : {
"CertificateProviderType" : "PEM",
"S3Object" : "s3://mycertstore/artifacts/MyCerts.zip"
}
},
"AtRestEncryptionConfiguration" : {
"S3EncryptionConfiguration" : {
"EncryptionMode" : "SSE-S3"
},
"LocalDiskEncryptionConfiguration" : {
"EncryptionKeyProviderType" : "AwsKms",
"AwsKmsKey" : "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
}
}
}'
Output:
{
"CreationDateTime": 1474070889.129,
"Name": "MySecurityConfig"
}
JSON equivalent (contents of security_configuration.json):
{
"EncryptionConfiguration": {
"EnableInTransitEncryption": true,
"EnableAtRestEncryption": true,
"InTransitEncryptionConfiguration": {
"TLSCertificateConfiguration": {
"CertificateProviderType": "PEM",
"S3Object": "s3://mycertstore/artifacts/MyCerts.zip"
}
},
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
}
}
}
Command (using security_configuration.json):
aws emr create-security-configuration --name "MySecurityConfig" --security-configuration file://./security_configuration.json
Output:
{
"CreationDateTime": 1474070889.129,
"Name": "MySecurityConfig"
}
2. To create a security configuration with Kerberos enabled using cluster-dedicated KDC and cross-realm trust
Command:
aws emr create-security-configuration --name MySecurityConfig --security-configuration '{
"AuthenticationConfiguration": {
"KerberosConfiguration": {
"Provider": "ClusterDedicatedKdc",
"ClusterDedicatedKdcConfiguration": {
"TicketLifetimeInHours": 24,
"CrossRealmTrustConfiguration": {
"Realm": "AD.DOMAIN.COM",
"Domain": "ad.domain.com",
"AdminServer": "ad.domain.com",
"KdcServer": "ad.domain.com"
}
}
}
}
}'
Output:
{
"CreationDateTime": 1490225558.982,
"Name": "MySecurityConfig"
}
JSON equivalent (contents of security_configuration.json):
{
"AuthenticationConfiguration": {
"KerberosConfiguration": {
"Provider": "ClusterDedicatedKdc",
"ClusterDedicatedKdcConfiguration": {
"TicketLifetimeInHours": 24,
"CrossRealmTrustConfiguration": {
"Realm": "AD.DOMAIN.COM",
"Domain": "ad.domain.com",
"AdminServer": "ad.domain.com",
"KdcServer": "ad.domain.com"
}
}
}
}
}
Command (using security_configuration.json):
aws emr create-security-configuration --name "MySecurityConfig" --security-configuration file://./security_configuration.json
Output:
{
"CreationDateTime": 1490225558.982,
"Name": "MySecurityConfig"
}
Name -> (string)
The name of the security configuration.
CreationDateTime -> (timestamp)
The date and time the security configuration was created.