AWS emr medium security documentation change
Summary
Added note about EMR requiring private keys without passphrases and provided command to remove passphrases from keys.
Security assessment
The change explicitly addresses a security-related misconfiguration where passphrase-protected keys cause cluster startup failures. By documenting this requirement and providing remediation steps, it prevents operational failures in encryption setups which could lead to unintended data exposure if encryption fails.
Diff
diff --git a/emr/latest/ManagementGuide/emr-encryption-enable.md b/emr/latest/ManagementGuide/emr-encryption-enable.md index cdf32f934..8b81d0146 100644 --- a//emr/latest/ManagementGuide/emr-encryption-enable.md +++ b//emr/latest/ManagementGuide/emr-encryption-enable.md @@ -180,0 +181,9 @@ trustedCertificates.pem | Optional | We recommend that you provide a certificate +###### Note + +Amazon EMR requires private keys without passphrases. Amazon EMR doesn't support passphrase-protected private keys (both PBES1 and PBES2 formats). Amazon EMR services start automatically, so no user is available to provide a passphrase. If you use a passphrase-protected private key, the cluster fails to start with an error similar to `Failed to read the private key from /emr/instance-controller/emr-encryption/privateKey.pem`. + +To remove a passphrase from an existing private key, run the following command. Then, reconfigure your security configuration to use the updated key file. + + + openssl rsa -in encrypted_privateKey.pem -out privateKey.pem +