Guides

AWS Glue Data Catalogs Does Not Enforce Data-at-Rest Encryption

Description:

Amazon Glue Data Catalog serves as a centralized metadata repository that integrates with various AWS services such as Amazon Athena and Amazon Redshift. Data-at-rest encryption ensures that sensitive metadata within the catalog is protected against unauthorized access, making it essential to enforce encryption.

Remediation:

1. Enforce Data-at-Rest Encryption for Amazon Glue Data Catalog:

AWS Management Console:
  • Navigate to the Glue service.
  • In the left navigation pane, choose Settings.
  • Under Security configuration and encryption, select Enable for Metadata encryption.
  • Choose the desired AWS KMS key from the list or specify a custom key.
  • Click Save.
Terraform:

To enforce data-at-rest encryption for Amazon Glue Data Catalog, you can use Terraform as follows:

resource "aws_kms_key" "glue_encryption" {
  description = "KMS key for Glue Data Catalog encryption"
}

resource "aws_glue_catalog_encryption_config" "example" {
  data_catalog_encryption_settings {
    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.glue_encryption.arn
    }
  }
}

In this Terraform configuration, data-at-rest encryption for the Glue Data Catalog is enforced using a custom KMS key.

Recommendation:

Always enforce data-at-rest encryption for Glue Data Catalogs. Regularly review AWS Glue configurations to ensure that encryption settings are maintained. Also, manage and rotate your KMS keys according to best practices.

Updated 12 months ago