Ensure Glue Data Catalog encryption is enabled

Error: Glue Data Catalog encryption is not enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_37
Checkov Check ID: CKV_AWS_94
Severity: HIGH

Glue Data Catalog encryption is not enabled

Description

This examines the resource aws_glue_data_catalog_encryption_settings and checks that encryption is set up. The properties encrypted_at_rest and connection_encrypted in the blocks connection_password_encryption and encryption_at_rest are examined.

Fix - Runtime

AWS Console

TBA

CLI Command

Fix - Buildtime

Terraform

  • Resource aws_glue_data_catalog_encryption_settings
  • Arguments data_catalog_encryption_settings\connection_password_encryption and data_catalog_encryption_settings\encryption_at_rest blocks
resource "aws_glue_data_catalog_encryption_settings" "example" {
  ...
+  data_catalog_encryption_settings {
+    connection_password_encryption {
+      aws_kms_key_id                       = aws_kms_key.glue.arn
+      return_connection_password_encrypted = true
+    }
+    encryption_at_rest {
+      catalog_encryption_mode = "SSE-KMS"
+      sse_aws_kms_key_id      = aws_kms_key.glue.arn
+    }
+  }
  ...
}

CloudFormation

  • Resource AWS::Glue::DataCatalogEncryptionSettings
  • Arguments Properties.DataCatalogEncryptionSettings
Resources:
  Example:
    Type: 'AWS::Glue::DataCatalogEncryptionSettings'
    Properties:
    	...
      DataCatalogEncryptionSettings:
        ConnectionPasswordEncryption:
          ...
+         ReturnConnectionPasswordEncrypted: True
        EncryptionAtRest:
        	...
+         CatalogEncryptionMode: "SSE-KMS"