Terraform AWS EMR
EMR clusters and instance groups with security configurations, encryption in transit and at rest, Kerberos, IAM roles, bootstrap actions, logging, and deployment in private subnets.
Controls enforced
These compliance controls are checked at terraform plan time.
- EMR cluster Kerberos should be enabled(medium effort)
- EMR clusters should have security configuration enabled(medium effort)
Quick start
See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.
Migration from upstream
Already using terraform-aws-modules? Change only the source URL:
module "emr" {
source = "terraform-aws-modules/emr/aws"
version = "1.0"
}module "emr" {
source = "soc2.compliance.tf/terraform-aws-modules/emr/aws"
version = "1.0"
}Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.
Reversibility
No lock-in. Switch back by reverting the source URL:
module "emr" {
source = "terraform-aws-modules/emr/aws"
}Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks
Framework coverage
Which controls from this module are active under each framework endpoint.
| Control | HIPAA Omnibus Rule 2013 | PCI DSS v4.0 |
|---|---|---|
| EMR cluster Kerberos should be enabled | ● | ● |
| EMR clusters should have security configuration enabled | ○ | ○ |
● enforced by default · ○ not activated by this endpoint