Ensure that your Amazon Glue Data Catalogs are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default encryption keys used by Glue service when there are no customer keys defined) in order to have a more granular control over data-at-rest encryption/decryption process and meet compliance requirements.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you use your own AWS KMS Customer Master Keys (CMKs) to protect AWS Glue Data Catalog objects and connection passwords, you have full control over who can use the encryption keys to access your AWS Glue data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon Glue Data Catalogs.
Audit
To determine your AWS Glue Data Catalog encryption status and configuration, perform the following:
Remediation / Resolution
To encrypt Amazon Glue Data Catalog objects and connection passwords with your own AWS KMS Customer Master Keys (CMKs), perform the following actions:
References
- AWS Documentation
- AWS Glue FAQs
- Encryption and Secure Access for AWS Glue
- Encrypting Your Data Catalog
- Setting Up Encryption in AWS Glue
- AWS Command Line Interface (CLI) Documentation
- glue
- get-data-catalog-encryption-settings
- put-data-catalog-encryption-settings
- kms
- describe-key
- create-key
- create-alias
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Glue Data Catalog Encrypted With KMS Customer Master Keys
Risk Level: High