AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-05-10 · Documentation low

File: emr/latest/ManagementGuide/emr-encryption-enable.md

Summary

Updated in-transit encryption options: Added EMR-managed certificate option for 7.11.0+, clarified version support ranges, and fixed a typo.

Security assessment

Adds documentation for new EMR-managed certificate feature which simplifies encryption setup. No evidence of vulnerability fix; enhances security documentation.

Diff

diff --git a/emr/latest/ManagementGuide/emr-encryption-enable.md b/emr/latest/ManagementGuide/emr-encryption-enable.md
index 19e021f7a..cdf32f934 100644
--- a//emr/latest/ManagementGuide/emr-encryption-enable.md
+++ b//emr/latest/ManagementGuide/emr-encryption-enable.md
@@ -156 +156,3 @@ An EncryptionMaterialsProvider reference implementation is provided below. Anoth
-With Amazon EMR release version 4.8.0 or later, you have two options for specifying artifacts for encrypting data in transit using a security configuration: 
+With Amazon EMR release version 7.11.0 or later, you have three options for specifying artifacts for encrypting data in transit using a security configuration: 
+
+  * You can have Amazon EMR create and manage private certificates for you. When selecting this option, Amazon EMR will upload the PEM-encoded certificate of the created certificate authority to AWS Secrets Manager in your account for you to use in your trust stores. For configuration details and example commands, see [Configure data encryption](./emr-create-security-configuration.html#emr-security-configuration-encryption).
@@ -164,0 +167,2 @@ With Amazon EMR release version 4.8.0 or later, you have two options for specify
+For Amazon EMR release version 4.8.0 through 7.10.0, only a .zip file or custom Java class are supported.
+
@@ -175 +179 @@ certificateChain.pem | Required | Certificate chain
-trustedCertificates.pem | Optional | We recommend that you provide a certificate that isn't signed by the the Java default trusted root certification authority (CA) or an intermediate CA that can link to the Java default trusted root CA. We don't reocmmend that you use public CAs when you use wildcard certificates or when you disable hostname verification.  
+trustedCertificates.pem | Optional | We recommend that you provide a certificate that isn't signed by the the Java default trusted root certification authority (CA) or an intermediate CA that can link to the Java default trusted root CA. We don't recommend that you use public CAs when you use wildcard certificates or when you disable hostname verification.