Guides
Start typing to search…

AWS Glue Data Catalogs Does Not Enforce Data-at-Rest Encryption

Description:

Amazon Glue Data Catalog serves as a centralized metadata repository that integrates with various AWS services such as Amazon Athena and Amazon Redshift. Data-at-rest encryption ensures that sensitive metadata within the catalog is protected against unauthorized access, making it essential to enforce encryption.

Remediation:

1. Enforce Data-at-Rest Encryption for Amazon Glue Data Catalog:

AWS Management Console:
  • Navigate to the Glue service.
  • In the left navigation pane, choose Settings.
  • Under Security configuration and encryption, select Enable for Metadata encryption.
  • Choose the desired AWS KMS key from the list or specify a custom key.
  • Click Save.
Terraform:

To enforce data-at-rest encryption for Amazon Glue Data Catalog, you can use Terraform as follows:

resource "aws_kms_key" "glue_encryption" {
  description = "KMS key for Glue Data Catalog encryption"
}

resource "aws_glue_catalog_encryption_config" "example" {
  data_catalog_encryption_settings {
    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.glue_encryption.arn
    }
  }
}

In this Terraform configuration, data-at-rest encryption for the Glue Data Catalog is enforced using a custom KMS key.

Recommendation:

Always enforce data-at-rest encryption for Glue Data Catalogs. Regularly review AWS Glue configurations to ensure that encryption settings are maintained. Also, manage and rotate your KMS keys according to best practices.

Updated 2 months ago