AWS Glue Data Catalogs Does Not Enforce Data-at-Rest Encryption
Description:
Amazon Glue Data Catalog serves as a centralized metadata repository that integrates with various AWS services such as Amazon Athena and Amazon Redshift. Data-at-rest encryption ensures that sensitive metadata within the catalog is protected against unauthorized access, making it essential to enforce encryption.
Remediation:
1. Enforce Data-at-Rest Encryption for Amazon Glue Data Catalog:
AWS Management Console:
- Navigate to the Glue service.
- In the left navigation pane, choose Settings.
- Under Security configuration and encryption, select Enable for Metadata encryption.
- Choose the desired AWS KMS key from the list or specify a custom key.
- Click Save.
Terraform:
To enforce data-at-rest encryption for Amazon Glue Data Catalog, you can use Terraform as follows:
resource "aws_kms_key" "glue_encryption" {
description = "KMS key for Glue Data Catalog encryption"
}
resource "aws_glue_catalog_encryption_config" "example" {
data_catalog_encryption_settings {
encryption_at_rest {
catalog_encryption_mode = "SSE-KMS"
sse_aws_kms_key_id = aws_kms_key.glue_encryption.arn
}
}
}
In this Terraform configuration, data-at-rest encryption for the Glue Data Catalog is enforced using a custom KMS key.
Recommendation:
Always enforce data-at-rest encryption for Glue Data Catalogs. Regularly review AWS Glue configurations to ensure that encryption settings are maintained. Also, manage and rotate your KMS keys according to best practices.
Updated 5 months ago