Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Glue Data Catalog Encryption At Rest

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Glue-001

Ensure that encryption at rest is enabled for your Amazon Glue Data Catalogs in order to meet regulatory requirements and prevent unauthorized users from getting access to sensitive data. With this feature enabled, you can encrypt AWS Glue Data Catalog objects such as databases, tables, partitions, connections and user-defined functions and also encrypt connection passwords that you provide when you create data connections. Amazon Glue is a fully managed ETL (Extract, Transform and Load) service that makes it simple and cost-effective to prepare and load your data for analytics. Glue consists of a central metadata repository known as the AWS Glue Data Catalog, an ETL engine that generates Python/Scala code and a scheduler that handles dependency resolution, job monitoring and retries.

This rule can help you with the following compliance standards:

  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When your Amazon Glue metadata repository (i.e. AWS Glue Data Catalog) is working with sensitive or private data, it is strongly recommended to implement encryption in order to protect this data from unapproved access and fulfill any compliance requirements defined within your organization for data-at-rest encryption.


Audit

To determine if your AWS Glue Data Catalogs are using encryption at rest, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the left navigation panel, under Data Catalog, choose Settings.

04 On Data catalog settings page, within the Encryption section, check the Metadata encryption feature status. If this feature is disabled, i.e. Encryption Metadata encryption, data-at-rest encryption is not enabled for your Amazon Glue Data Catalog available within the selected AWS region.

05 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

Note: Getting encryption status for Data Catalog connection passwords using the AWS API via Command Line Interface (CLI) is not currently supported.

01 Run get-data-catalog-encryption-settings command (OSX/Linux/UNIX) to describe the encryption-at-rest status for the Glue Data Catalog available within the selected AWS region – in this case the US East (N. Virginia) region:

aws glue get-data-catalog-encryption-settings
	--region us-east-1
	--query "DataCatalogEncryptionSettings.EncryptionAtRest"

02 The command output should return the encryption-at-rest mode status:

{
    "CatalogEncryptionMode": "DISABLED"
}

If the CatalogEncryptionMode configuration attribute value is set to "DISABLED", as shown in the example above, data-at-rest encryption is not enabled for the Amazon Glue Data Catalog objects available in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To enable encryption at rest for Amazon Glue Data Catalog objects and connection passwords, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the left navigation panel, under Data Catalog, choose Settings.

04 On Data catalog settings page, in the Encryption section, perform the following:

  1. Select Metadata encryption checkbox to enable at-rest encryption for metadata objects stored within the AWS Glue Data Catalog available in the selected AWS region.
  2. Click Save to apply the changes.

05 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

Note: Enabling encryption for AWS Glue Data Catalog connection passwords using the AWS API via Command Line Interface (CLI) is not currently supported.

01 Run put-data-catalog-encryption-settings command (OSX/Linux/UNIX) to update the security configuration of the Amazon Glue Data Catalog available in the selected AWS region, in order to enable at-rest encryption for metadata objects. The encryption key used for the following command request example, identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd", is the default master key that protects the Glue data in the selected region (the command does not produce an output):

aws glue put-data-catalog-encryption-settings
	--region us-east-1
	--data-catalog-encryption-settings EncryptionAtRest={CatalogEncryptionMode=SSE-KMS,SseAwsKmsKeyId=arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd}

02 Change the AWS region by updating the --region command parameter value and repeat step no. 1 to perform the remediation/resolution process for other regions.

References

Publication date Nov 20, 2018