Ensure that your Amazon Glue Data Catalogs are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default encryption keys used by Glue service when there are no customer keys defined) in order to have a more granular control over data-at-rest encryption/decryption process and meet compliance requirements.
When you use your own AWS KMS Customer Master Keys (CMKs) to protect AWS Glue Data Catalog objects and connection passwords, you have full control over who can use the encryption keys to access your AWS Glue data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon Glue Data Catalogs.
To determine your AWS Glue Data Catalog encryption status and configuration, perform the following:
To encrypt Amazon Glue Data Catalog objects and connection passwords with your own AWS KMS Customer Master Keys (CMKs), perform the following actions: