AWS Glue

AWS Glue Data Catalog Encryption Disabled

This plugin ensures that AWS Glue Data Catalogs have encryption at-rest enabled.

Risk Level: Medium

Description

This plugin ensures that AWS Glue Data Catalogs have encryption at-rest enabled. Encryption should be enabled for metadata objects stored in your AWS Glue Data Catalog. When enabled, all objects are encrypted when they are being written to the Data Catalog. Encryption is required to prevent unauthorized access to the sensitive data in the catalog.

Configuration Parameters

Glue Data Catalog Target Encryption Level: The parameter allows users to input the lowest key level that can be used by the organization. In case a key has been generated and it is lower than the Encryption level mentioned an issue will be generated. 

The default value is set to AWS kms i.e. AWS key management service which has the lowest level of Encryption and is not recommended.

About the Service

AWS Glue: AWS Glue makes the process of data integration easier. The complete process of data extraction, enriching, cleaning and combining is done by AWS Glue. The integrated information can then be used to perform various analytics, machine learning, and application development operations. With AWS Data Catalog, users can easily search across various datasets at a single platform.

Impact

AWS Glue data catalog comprises metadatas of various AWS data stores. This metadata can be used to query and transform data. In the absence of any form of encryption, attackers can get access to the critical information stored in the Glue data catalog. 

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the AWS Glue Console. You can use this link (https://console.aws.amazon.com/glue) to navigate directly if already logged in. 
  3. Scroll down and select Settings under the Data catalog section from the left pane.
  4. From Under the Encryption settings, check if the Metadata encryption option has been checked. If it's left unchecked, it implies encryption-at-rest is disabled for the region.
  5. Repeat steps 3 to 4 for all the regions you want to investigate.

Steps for Remediation

Modify Glue data catalog settings and enable metadata encryption.

  1. Log In to your AWS Console.
  2. Open the AWS Glue Console. You can use this link (https://console.aws.amazon.com/glue) to navigate directly if already logged in. 
  3. Scroll down and select Settings under the Data catalog section from the left pane.
  4. From Under the Encryption settings, check the Metadata encryption option. You will be provided with the option to choose an AWS KMS key or you can enter the key ARN as well. Select the KMS key and click on Save to update the changes.
  5. Repeat steps 3 to 4 for all the vulnerable data catalogs.