Open menu
-->

Enable AWS Glue Data Catalog Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that encryption at rest is enabled for your Amazon Glue Data Catalogs in order to meet regulatory requirements and prevent unauthorized users from getting access to sensitive data. With this feature enabled, you can encrypt AWS Glue Data Catalog objects such as databases, tables, partitions, connections and user-defined functions and also encrypt connection passwords that you provide when you create data connections. Amazon Glue is a fully managed ETL (Extract, Transform and Load) service that makes it simple and cost-effective to prepare and load your data for analytics. Glue consists of a central metadata repository known as the AWS Glue Data Catalog, an ETL engine that generates Python/Scala code and a scheduler that handles dependency resolution, job monitoring and retries.

When your Amazon Glue metadata repository (i.e. AWS Glue Data Catalog) is working with sensitive or private data, it is strongly recommended to implement encryption in order to protect this data from unapproved access and fulfill any compliance requirements defined within your organization for data-at-rest encryption.

Audit

To determine if your AWS Glue Data Catalogs are using encryption at rest, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the left navigation panel, under Data Catalog, choose Settings.

04 On Data catalog settings page, within the Encryption section, check the Metadata encryption and Encrypt connection passwords features status. If these features are disabled, i.e. Encryption Metadata encryption, data-at-rest encryption is not enabled for your Amazon Glue Data Catalog available within the selected AWS region.

05 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

Note: Getting encryption status for Data Catalog connection passwords using the AWS API via Command Line Interface (CLI) is not currently supported.

01 Run get-data-catalog-encryption-settings command (OSX/Linux/UNIX) to describe the encryption-at-rest status for the Glue Data Catalog available within the selected AWS region – in this case the US East (N. Virginia) region:

aws glue get-data-catalog-encryption-settings
	--region us-east-1
	--query "DataCatalogEncryptionSettings.EncryptionAtRest"

02 The command output should return the encryption-at-rest mode status:

{
    "CatalogEncryptionMode": "DISABLED"
}

If the CatalogEncryptionMode configuration attribute value is set to "DISABLED", as shown in the example above, data-at-rest encryption is not enabled for the Amazon Glue Data Catalog objects available in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To enable encryption at rest for Amazon Glue Data Catalog objects and connection passwords, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the left navigation panel, under Data Catalog, choose Settings.

04 On Data catalog settings page, in the Encryption section, perform the following:

  1. Select Metadata encryption checkbox to enable at-rest encryption for metadata objects stored within the AWS Glue Data Catalog available in the selected AWS region.
  2. Select Encrypt connection passwords checkbox to enable encryption for the passwords that you provide when you create Data Catalog connections.
  3. Click Save to apply the changes.

05 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

Note: Enabling encryption for AWS Glue Data Catalog connection passwords using the AWS API via Command Line Interface (CLI) is not currently supported.

01 Run put-data-catalog-encryption-settings command (OSX/Linux/UNIX) to update the security configuration of the Amazon Glue Data Catalog available in the selected AWS region, in order to enable at-rest encryption for metadata objects. The encryption key used for the following command request example, identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd", is the default master key that protects the Glue data in the selected region (the command does not produce an output):

aws glue put-data-catalog-encryption-settings
	--region us-east-1
	--data-catalog-encryption-settings EncryptionAtRest={CatalogEncryptionMode=SSE-KMS,SseAwsKmsKeyId=arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd}

02 Change the AWS region by updating the --region command parameter value and repeat step no. 1 to perform the remediation/resolution process for other regions.

References

Publication date Nov 20, 2018