AWS Glue Data Catalogs Does Not Enforce Data-at-Rest Encryption Using KMS CMKs

Description:

Amazon Glue Data Catalog serves as a centralized metadata repository that integrates with various AWS services such as Amazon Athena and Amazon Redshift. While AWS provides default encryption for the Glue Data Catalog, using a Customer Master Key (CMK) managed by AWS Key Management Service (KMS) provides more granular control over encryption settings and key management.


Remediation:

1. Enforce Data-at-Rest Encryption using KMS CMKs for Amazon Glue Data Catalog:

AWS Management Console:
  • Navigate to the Glue service.
  • In the left navigation pane, choose Settings.
  • Under Security configuration and encryption, select Enable for Metadata encryption.
  • Choose Custom and then select the desired AWS KMS Customer Master Key (CMK) from the list.
  • Click Save.
Terraform:

To enforce data-at-rest encryption for Amazon Glue Data Catalog using KMS CMKs, you can use Terraform as follows:

resource "aws_kms_key" "glue_encryption" {
  description = "KMS CMK for Glue Data Catalog encryption"
}

resource "aws_glue_catalog_encryption_config" "example" {
  data_catalog_encryption_settings {
    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.glue_encryption.arn
    }
  }
}

In this Terraform configuration, data-at-rest encryption for the Glue Data Catalog is enforced using a KMS CMK.


Recommendation:

Always enforce data-at-rest encryption using KMS CMKs for Glue Data Catalogs. Regularly review AWS Glue configurations to ensure that encryption settings are maintained. Manage and rotate your KMS CMKs according to best practices, and ensure you have monitoring in place to detect any unauthorized access or usage of the keys.