Glue component has a security configuration associated

glue_component_no_security_configuration

Severity

high

Vendor

AWS

Resource

Glue

Description

AWS Glue is a serverless data integration service to discover, prepare, move, and integrate data (processing known as extract-transform-load or ETL) from multiple sources for analytics, machine learning (ML), and application development.

AWS Glue has three possible components that could be encrypted: Cloudwatch, job bookmarks and S3 buckets. A security configuration in AWS Glue contains encryption keys for these components. Security configurations can be created on the AWS Glue console or in Terraform templates, to provide the encryption properties that are used by crawlers, jobs, and development endpoints.

This detector reports a flaw on each Glue component not referencing a security_configuration. Such components will not encrypt the stored data, which could leak sensitive information.

Examples

CloudFormation

{
  "Resources": {
    "DevEndpointDefault": { (1)
      "Type": "AWS::Glue::DevEndpoint",
      "Properties": {
        "EndpointName": "example",
        "RoleArn": "arn:aws:iam::123456789012:role/role"
      }
    }
  }
}

1	No `SecurityConfiguration`.

Resources:
  DevEndpointDefault: (1)
    Type: AWS::Glue::DevEndpoint
    Properties:
      EndpointName: example
      RoleArn: arn:aws:iam::123456789012:role/role

1	No `SecurityConfiguration`.

Terraform

resource "aws_glue_crawler" "crawler" { (1)
  database_name = "aws_glue_catalog_database.example.name"
  name          = "crawler"
  role          = "aws_iam_role.example.arn"
}

1	Glue element without security configuration.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "DevEndpointDefault": { (1)
      "Type": "AWS::Glue::DevEndpoint",
      "Properties": {
        "EndpointName": "example",
        "RoleArn": "arn:aws:iam::123456789012:role/role",
        "SecurityConfiguration": "security-conf"
      }
    }
  }
}

1	`SecurityConfiguration` is set.

Resources:
  DevEndpointDefault: (1)
    Type: AWS::Glue::DevEndpoint
    Properties:
      EndpointName: example
      RoleArn: arn:aws:iam::123456789012:role/role,
      SecurityConfiguration: security-conf

1	`SecurityConfiguration` is set.

Terraform

Add an aws_glue_security_configuration resource and reference its name in the security_configuration attribute of the Glue component(s):

resource "aws_glue_crawler" "crawler" {
  database_name = "aws_glue_catalog_database.example.name"
  name          = "crawler"
  role          = "aws_iam_role.example.arn"

  # FIXED
  security_configuration = aws_glue_security_configuration.example.name
}

resource "aws_glue_security_configuration" "example" {
  name = "example"

  encryption_configuration {
    cloudwatch_encryption {
      cloudwatch_encryption_mode = "SSE-KMS"
      kms_key_arn        = aws_kms_key.example.arn
    }

    job_bookmarks_encryption {
      job_bookmarks_encryption_mode = "CSE-KMS"
      kms_key_arn        = aws_kms_key.example.arn
    }

    s3_encryption {
      kms_key_arn        = aws_kms_key.example.arn
      s3_encryption_mode = "SSE-KMS"
    }
  }
}