AWS CLI Command Reference

[ aws . emr ]

create-security-configuration

Description

Creates a security configuration, which is stored in the service and can be specified when a cluster is created.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  create-security-configuration
--name <value>
--security-configuration <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--name (string)

The name of the security configuration.

--security-configuration (string)

The security configuration details in JSON format. For JSON parameters and examples, see Use Security Configurations to Set Up Cluster Security in the Amazon EMR Management Guide .

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

1. To create a security configuration with in-transit encryption enabled with PEM for certificate provider, and at-rest encryption enabled with SSE-S3 for S3 encryption and AWS-KMS for local disk key provider

  • Command:

     aws emr create-security-configuration --name MySecurityConfig --security-configuration '{
        "EncryptionConfiguration": {
                "EnableInTransitEncryption" : true,
                "EnableAtRestEncryption" : true,
                "InTransitEncryptionConfiguration" : {
                        "TLSCertificateConfiguration" : {
                                "CertificateProviderType" : "PEM",
                                "S3Object" : "s3://mycertstore/artifacts/MyCerts.zip"
                        }
                },
                "AtRestEncryptionConfiguration" : {
                        "S3EncryptionConfiguration" : {
                                "EncryptionMode" : "SSE-S3"
                        },
                        "LocalDiskEncryptionConfiguration" : {
                                "EncryptionKeyProviderType" : "AwsKms",
                                "AwsKmsKey" : "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
                        }
                }
        }
}'

  • Output:

    {
"CreationDateTime": 1474070889.129,
"Name": "MySecurityConfig"
}

  • JSON equivalent (contents of security_configuration.json):

    {
    "EncryptionConfiguration": {
        "EnableInTransitEncryption": true,
        "EnableAtRestEncryption": true,
        "InTransitEncryptionConfiguration": {
            "TLSCertificateConfiguration": {
                "CertificateProviderType": "PEM",
                "S3Object": "s3://mycertstore/artifacts/MyCerts.zip"
            }
        },
        "AtRestEncryptionConfiguration": {
            "S3EncryptionConfiguration": {
                "EncryptionMode": "SSE-S3"
            },
            "LocalDiskEncryptionConfiguration": {
                "EncryptionKeyProviderType": "AwsKms",
                "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
            }
        }
    }
}

  • Command (using security_configuration.json):

    aws emr create-security-configuration --name "MySecurityConfig" --security-configuration file://./security_configuration.json

  • Output:

    {
"CreationDateTime": 1474070889.129,
"Name": "MySecurityConfig"
}

2. To create a security configuration with Kerberos enabled using cluster-dedicated KDC and cross-realm trust

  • Command:

     aws emr create-security-configuration --name MySecurityConfig --security-configuration '{
     "AuthenticationConfiguration": {
         "KerberosConfiguration": {
             "Provider": "ClusterDedicatedKdc",
             "ClusterDedicatedKdcConfiguration": {
                 "TicketLifetimeInHours": 24,
                 "CrossRealmTrustConfiguration": {
                   "Realm": "AD.DOMAIN.COM",
                   "Domain": "ad.domain.com",
                   "AdminServer": "ad.domain.com",
                   "KdcServer": "ad.domain.com"
                 }
             }
         }
     }
}'

  • Output:

    {
"CreationDateTime": 1490225558.982,
"Name": "MySecurityConfig"
}

  • JSON equivalent (contents of security_configuration.json):

    {
    "AuthenticationConfiguration": {
        "KerberosConfiguration": {
            "Provider": "ClusterDedicatedKdc",
            "ClusterDedicatedKdcConfiguration": {
                "TicketLifetimeInHours": 24,
                "CrossRealmTrustConfiguration": {
                    "Realm": "AD.DOMAIN.COM",
                    "Domain": "ad.domain.com",
                    "AdminServer": "ad.domain.com",
                    "KdcServer": "ad.domain.com"
                }
            }
        }
    }
}

  • Command (using security_configuration.json):

    aws emr create-security-configuration --name "MySecurityConfig" --security-configuration file://./security_configuration.json

  • Output:

    {
"CreationDateTime": 1490225558.982,
"Name": "MySecurityConfig"
}

Output

Name -> (string)

The name of the security configuration.

CreationDateTime -> (timestamp)

The date and time the security configuration was created.

© Copyright 2018, Amazon Web Services. Created using Sphinx.