AWS emr documentation change
Summary
Added tip about using S3 Bucket Keys to reduce KMS costs and policy considerations
Security assessment
Documents a security optimization feature (S3 Bucket Keys) and policy review requirements, but doesn't fix any security vulnerability.
Diff
diff --git a/emr/latest/ManagementGuide/emr-data-encryption-options.md b/emr/latest/ManagementGuide/emr-data-encryption-options.md index 5fc1c408d..ec38cdc9d 100644 --- a//emr/latest/ManagementGuide/emr-data-encryption-options.md +++ b//emr/latest/ManagementGuide/emr-data-encryption-options.md @@ -58,0 +59,4 @@ SSE with customer-provided keys (SSE-C) is not available for use with Amazon EMR +###### Tip + +To reduce AWS KMS costs when using SSE-KMS, consider enabling Amazon S3 Bucket Keys on your Amazon S3 buckets. Amazon S3 Bucket Keys use a short-lived bucket-level key to reduce AWS KMS API calls by up to 99 percent. Before enabling Amazon S3 Bucket Keys, review your IAM and AWS KMS key policies – the encryption context changes from the Amazon S3 object ARN to the bucket ARN, which may affect policies that use the object ARN for access control. For more information, see [Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html) in the _Amazon Simple Storage Service User Guide_. +