Glue Data Catalog encryption is not enabled

Description

This examines the resource aws_glue_data_catalog_encryption_settings and checks that encryption is set up. The properties encrypted_at_rest and connection_encrypted in the blocks connection_password_encryption and encryption_at_rest are examined.

Fix - Runtime

AWS Console

TBA

CLI Command

Fix - Buildtime

Terraform

• Resource aws_glue_data_catalog_encryption_settings
• Arguments data_catalog_encryption_settings\connection_password_encryption and data_catalog_encryption_settings\encryption_at_rest blocks

resource "aws_glue_data_catalog_encryption_settings" "example" {
  ...
+  data_catalog_encryption_settings {
+    connection_password_encryption {
+      aws_kms_key_id                       = aws_kms_key.glue.arn
+      return_connection_password_encrypted = true
+    }
+    encryption_at_rest {
+      catalog_encryption_mode = "SSE-KMS"
+      sse_aws_kms_key_id      = aws_kms_key.glue.arn
+    }
+  }
  ...
}

CloudFormation

• Resource AWS::Glue::DataCatalogEncryptionSettings
• Arguments Properties.DataCatalogEncryptionSettings

Resources:
  Example:
    Type: 'AWS::Glue::DataCatalogEncryptionSettings'
    Properties:
        ...
      DataCatalogEncryptionSettings:
        ConnectionPasswordEncryption:
          ...
+         ReturnConnectionPasswordEncrypted: True
        EncryptionAtRest:
            ...
+         CatalogEncryptionMode: "SSE-KMS"