AWS Glue Data Catalog Objects and Connection Passwords Are Unencrypted

Description:

Amazon Glue Data Catalog serves as a central metadata repository and integrates with various AWS services like Amazon Athena, Amazon Redshift, and more. Ensuring the encryption of metadata objects and connection passwords in the Data Catalog is vital for protecting sensitive data from unauthorized access and breaches.


Remediation:

1. Encrypt Glue Data Catalog Objects and Connection Passwords:

AWS Management Console:
  • Navigate to the Glue service.
  • In the left navigation pane, choose Settings.
  • Under Security configuration and encryption, select Enable for Metadata encryption.
  • Choose the desired AWS KMS key from the list or specify a custom key.
  • Select Enable for Connection password encryption and choose the desired KMS key.
  • Click Save.
Terraform:
resource "aws_glue_catalog_encryption_config" "example" {
  data_catalog_encryption_settings {
    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.example.arn
    }

    connection_password_encryption {
      return_connection_password_encrypted = true
      aws_kms_key_id                       = aws_kms_key.example.arn
    }
  }
}

resource "aws_kms_key" "example" {
  description             = "example"
  deletion_window_in_days = 10
}

In this Terraform configuration, both Glue Data Catalog metadata and connection passwords are encrypted using a custom KMS key.


Recommendation:

Always enable encryption for Glue Data Catalog metadata and connection passwords. Ensure to manage and rotate KMS keys according to best practices and periodically review your Glue configurations to verify encryption settings.