Amazon EMR now supports AWS Key Management Service (KMS) customer managed CMKs to encrypt log files that are stored in Amazon S3. When logging and debugging is enabled on an EMR cluster, Amazon EMR will automatically upload log files to Amazon S3. Now Amazon EMR lets you specify customer managed CMKs when the EMR cluster is launched. You can then use that key to protect the log files that you store in Amazon S3 and audit the key usage in AWS CloudTrail logs and get better compliance with security and governance requirements.
Source:: Amazon AWS