Ensure Glue Data Catalog Encryption is enabled

ID

glue_data_catalog_encryption_disabled

Severity

high

Vendor

AWS

Resource

Glue

Tags

reachable

Description

AWS Glue is a serverless data integration service to discover, prepare, move, and integrate data (processing known as extract-transform-load or ETL) from multiple sources for analytics, machine learning (ML), and application development.

To provide an additional layer of data protection to secure your data from unauthorized access, it’s recommended to enable encryption.

AWS::Glue::DataCatalogEncryptionSettings is checked to ensure encryption is set up.

Examples

CloudFormation

{
  "Resources": {
    "DataCatalog": { (1)
      "Type": "AWS::Glue::DataCatalogEncryptionSettings",
      "Properties": {
        "CatalogId": "CatalogId",
        "DataCatalogEncryptionSettings": {
          "ConnectionPasswordEncryption": {
            "KmsKeyId": "KmsKeyId",
            "ReturnConnectionPasswordEncrypted": true
          }
        }
      }
    }
  }
}
1 Missing DataCatalogEncryptionSettings property means encryption is not enabled. 
Resources:
  DataCatalog: (1)
    Type: 'AWS::Glue::DataCatalogEncryptionSettings'
    Properties:
      CatalogId: "CatalogId"
      DataCatalogEncryptionSettings:
        ConnectionPasswordEncryption:
          KmsKeyId: "KmsKeyId"
          ReturnConnectionPasswordEncrypted: True
1 Missing DataCatalogEncryptionSettings property means encryption is not enabled.

Terraform

resource "aws_glue_data_catalog_encryption_settings"  {
  data_catalog_encryption_settings {
    connection_password_encryption {
      return_connection_password_encrypted = false
    }
    encryption_at_rest {
      catalog_encryption_mode = "DISABLED" (1)
    }
  }
}
1 Catalog encryption is disabled.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "DataCatalog": {
      "Type": "AWS::Glue::DataCatalogEncryptionSettings",
      "Properties": {
        "CatalogId": "CatalogId",
        "DataCatalogEncryptionSettings": {
          "ConnectionPasswordEncryption": {
            "KmsKeyId": "KmsKeyId",
            "ReturnConnectionPasswordEncrypted": true
          },
          "EncryptionAtRest": {
            "CatalogEncryptionMode": "SSE-KMS", (1)
            "SseAwsKmsKeyId": "SseAwsKmsKeyId"
          }
        }
      }
    }
  }
}
1 DataCatalogEncryptionSettings with ConnectionPasswordEncryption and ConnectionPasswordEncryption properly set means encryption is enabled. 
Resources:
  DataCatalog:
    Type: 'AWS::Glue::DataCatalogEncryptionSettings'
    Properties:
      CatalogId: "CatalogId"
      DataCatalogEncryptionSettings:
        ConnectionPasswordEncryption:
          KmsKeyId: "KmsKeyId"
          ReturnConnectionPasswordEncrypted: True
        EncryptionAtRest:
          CatalogEncryptionMode: "SSE-KMS" (1)
          SseAwsKmsKeyId: "SseAwsKmsKeyId"
1 DataCatalogEncryptionSettings with ConnectionPasswordEncryption and ConnectionPasswordEncryption properly set means encryption is enabled.

Terraform

resource "aws_glue_data_catalog_encryption_settings" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = true
    }
    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.test.arn (1)
    }
  }
}
1 Ensure the return_connection_password_encrypted is set to true, as well as a catalog_encryption_mode and key id.