AWS Glue Data Catalogs Does Not Enforce Data-at-Rest Encryption


Amazon Glue Data Catalog serves as a centralized metadata repository that integrates with various AWS services such as Amazon Athena and Amazon Redshift. Data-at-rest encryption ensures that sensitive metadata within the catalog is protected against unauthorized access, making it essential to enforce encryption.


1. Enforce Data-at-Rest Encryption for Amazon Glue Data Catalog:

AWS Management Console:
  • Navigate to the Glue service.
  • In the left navigation pane, choose Settings.
  • Under Security configuration and encryption, select Enable for Metadata encryption.
  • Choose the desired AWS KMS key from the list or specify a custom key.
  • Click Save.

To enforce data-at-rest encryption for Amazon Glue Data Catalog, you can use Terraform as follows:

resource "aws_kms_key" "glue_encryption" {
  description = "KMS key for Glue Data Catalog encryption"

resource "aws_glue_catalog_encryption_config" "example" {
  data_catalog_encryption_settings {
    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.glue_encryption.arn

In this Terraform configuration, data-at-rest encryption for the Glue Data Catalog is enforced using a custom KMS key.


Always enforce data-at-rest encryption for Glue Data Catalogs. Regularly review AWS Glue configurations to ensure that encryption settings are maintained. Also, manage and rotate your KMS keys according to best practices.