Ensure AWS Glue security configuration encryption is enabled

Error: AWS Glue security configuration encryption is not enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_41
Checkov Check ID: CKV_AWS_99
Severity: HIGH

AWS Glue security configuration encryption is not enabled

Description

Ensure that AWS Glue has encryption enabled. AWS glue has three possible components that could be encrypted: Cloudwatch, job bookmarks and S3 buckets. This check ensures that each is set correctly.

Fix - Runtime

AWS Console

TBA

Fix - Buildtime

Terraform

  • Resource: aws_glue_security_configuration
  • Arguments: encryption_configuration, job_bookmarks_encryption, s3_encryption
resource "aws_glue_security_configuration" "test" {
  name = "example"
	...
+ encryption_configuration {
+   cloudwatch_encryption {
+     cloudwatch_encryption_mode = "SSE-KMS"
+     kms_key_arn        = aws_kms_key.example.arn
+   }

+   job_bookmarks_encryption {
+     job_bookmarks_encryption_mode = "CSE-KMS"
+     kms_key_arn        = aws_kms_key.example.arn
+   }

+   s3_encryption {
+     kms_key_arn        = aws_kms_key.example.arn
+     s3_encryption_mode = "SSE-KMS"
+   }
+ }
}

CloudFormation

  • Resource: AWS::Glue::SecurityConfiguration
  • Arguments: Properties.EncryptionConfiguration
Resources:
  Resource0:
    Type: AWS::Glue::SecurityConfiguration
    Properties:
      ...
      EncryptionConfiguration:
        CloudWatchEncryption: 
+         CloudWatchEncryptionMode: SSE-KMS #any value but 'DISABLED'
          ...
        JobBookmarksEncryption: 
+         JobBookmarksEncryptionMode: CSE-KMS #any value but 'DISABLED'
          ...
        S3Encryptions: 
+         S3EncryptionMode: SSE-KMS #any value but 'DISABLED'
          ...