Ensure that your Amazon Glue Data Catalogs are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default encryption keys used by Glue service when there are no customer keys defined) in order to have a more granular control over data-at-rest encryption/decryption process and meet compliance requirements.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you use your own AWS KMS Customer Master Keys (CMKs) to protect AWS Glue Data Catalog objects and connection passwords, you have full control over who can use the encryption keys to access your AWS Glue data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon Glue Data Catalogs.
To determine your AWS Glue Data Catalog encryption status and configuration, perform the following:
To encrypt Amazon Glue Data Catalog objects and connection passwords with your own AWS KMS Customer Master Keys (CMKs), perform the following actions: