AWS Glue security configuration encryption is not enabled
Description
Ensure that AWS Glue has encryption enabled. AWS glue has three possible components that could be encrypted: Cloudwatch, job bookmarks and S3 buckets. This check ensures that each is set correctly.
Fix - Runtime
AWS Console
TBA
Fix - Buildtime
Terraform
- **Resource: ** aws_glue_security_configuration
- Arguments: encryption_configuration, job_bookmarks_encryption, s3_encryption
```go aws_glue_security_configuration.test.tf resource "aws_glue_security_configuration" "test" { name = "example" ... + encryption_configuration { + cloudwatch_encryption { + cloudwatch_encryption_mode = "SSE-KMS" + kms_key_arn = aws_kms_key.example.arn + }
- job_bookmarks_encryption {
- job_bookmarks_encryption_mode = "CSE-KMS"
- kms_key_arn = aws_kms_key.example.arn
-
}
-
s3_encryption {
- kms_key_arn = aws_kms_key.example.arn
- s3_encryption_mode = "SSE-KMS"
- }
- } }
## CloudFormation
- **Resource: ** AWS::Glue::SecurityConfiguration
- **Arguments:** Properties.EncryptionConfiguration
```yaml
Resources:
Resource0:
Type: AWS::Glue::SecurityConfiguration
Properties:
...
EncryptionConfiguration:
CloudWatchEncryption:
+ CloudWatchEncryptionMode: SSE-KMS #any value but 'DISABLED'
...
JobBookmarksEncryption:
+ JobBookmarksEncryptionMode: CSE-KMS #any value but 'DISABLED'
...
S3Encryptions:
+ S3EncryptionMode: SSE-KMS #any value but 'DISABLED'
...