Glue Security Configuration has encryption disabled
ID |
glue_security_conf_encryption_disabled |
Severity |
high |
Vendor |
AWS |
Resource |
Glue |
Tags |
reachable |
Description
AWS Glue has three possible components that could be encrypted: Cloudwatch, job bookmarks and S3 buckets. A security configuration in AWS Glue contains encryption keys for these components. Security configurations can be created on the AWS Glue console or in Terraform templates, to provide the encryption properties that are used by crawlers, jobs, and development endpoints.
This detector enforces that encryption is enabled on the components.
For full details, see Terraform’s aws_glue_security_configuration.
Examples
CloudFormation
{
"Resources": {
"Resource0": { (1)
"Type": "AWS::Glue::SecurityConfiguration",
"Properties": {
"EncryptionConfiguration": {
"CloudWatchEncryption": {
"CloudWatchEncryptionMode": "DISABLED"
}
}
}
}
}
}| 1 | CloudWatchEncryptionMode is DISABLED. No JobBookmarksEncryption nor S3Encryptions config blocks. |
Resources:
Resource0: (1)
Type: AWS::Glue::SecurityConfiguration
Properties:
EncryptionConfiguration:
CloudWatchEncryption:
CloudWatchEncryptionMode: DISABLED| 1 | CloudWatchEncryptionMode is DISABLED. No JobBookmarksEncryption nor S3Encryptions config blocks. |
Terraform
resource "aws_glue_security_configuration" "example" {
name = "example"
encryption_configuration {
cloudwatch_encryption {
cloudwatch_encryption_mode = "DISABLED" (1)
}
job_bookmarks_encryption {
job_bookmarks_encryption_mode = "DISABLED" (1)
}
s3_encryption {
kms_key_arn = data.aws_kms_key.example.arn
s3_encryption_mode = "SSE-KMS"
}
}
}| 1 | These components have encryption disabled. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"Resource0": { (1)
"Type": "AWS::Glue::SecurityConfiguration",
"Properties": {
"EncryptionConfiguration": {
"CloudWatchEncryption": {
"CloudWatchEncryptionMode": "SSE-KMS",
"KmsKeyArn": "KmsKeyArn"
},
"JobBookmarksEncryption": {
"JobBookmarksEncryptionMode": "CSE-KMS",
"KmsKeyArn": "KmsKeyArn"
},
"S3Encryptions": [
{
"KmsKeyArn": "KmsKeyArn",
"S3EncryptionMode": "SSE-KMS"
}
]
}
}
}
}
}| 1 | CloudWatchEncryptionMode, JobBookmarksEncryption and S3Encryptions are properly configured. |
Resources:
Resource0: (1)
Type: AWS::Glue::SecurityConfiguration
Properties:
EncryptionConfiguration:
CloudWatchEncryption:
CloudWatchEncryptionMode: SSE-KMS
KmsKeyArn: KmsKeyArn
JobBookmarksEncryption:
JobBookmarksEncryptionMode: CSE-KMS
KmsKeyArn: KmsKeyArn
S3Encryptions:
- KmsKeyArn: KmsKeyArn
S3EncryptionMode: SSE-KMS| 1 | CloudWatchEncryptionMode, JobBookmarksEncryption and S3Encryptions are properly configured. |
Terraform
resource "aws_glue_security_configuration" "example" {
name = "example"
encryption_configuration {
cloudwatch_encryption {
cloudwatch_encryption_mode = "SSE-KMS" // FIXED
kms_key_arn = aws_kms_key.example.arn
}
job_bookmarks_encryption {
job_bookmarks_encryption_mode = "CSE-KMS" // FIXED
kms_key_arn = aws_kms_key.example.arn
}
s3_encryption {
kms_key_arn = aws_kms_key.example.arn
s3_encryption_mode = "SSE-KMS"
}
}
}Configuration
The detector configuration (glue_security_conf_encryption_disabled.yml) has three properties for selecting which elements shuld have encryption enabled.
properties:
# You may configure which elements should have encryption enabled in the aws_glue_security_configuration
# Set to false if encryption is not required for the given element.
cloudwatch_encryption: true
job_bookmarks_encryption: true
s3_encryption: true