AWS Glue

AWS Glue Job Bookmark Encryption Disabled

This plugin ensures that AWS Glue job bookmark encryption is enabled for all security configurations.

Risk Level: Medium

Description

This plugin ensures that AWS Glue job bookmark encryption is enabled for all security configurations. AWS Glue security configuration should have job bookmark encryption enabled. Job Bookmark encryption mode encrypts the bookmark data with an AWS KMS key before it is sent to Amazon S3 for storage.

About the Service

AWS Glue: AWS Glue makes the process of data integration easier. The complete process of data extraction, enriching, cleaning and combining is done by AWS Glue. The integrated information can then be used to perform various analytics, machine learning, and application development operations. With AWS Data Catalog, users can easily search across various datasets at a single platform.

Impact

Security configurations on the AWS Glue console configures the encryption inherited by the crawlers, jobs, and development endpoints.

The AWS Glue job bookmark, containing states for various job elements, such as sources, transformations, and targets, is stored in S3 buckets for references. If the bucket has global policies or ACLs, the sensitive information can be publicly accessible.

Therefore, it is important to properly encrypt the data.

Steps to Reproduce

Using AWS Console-
  1. Log In to your AWS Console.
  2. Open the AWS Glue Console. You can use this link (https://console.aws.amazon.com/glue) to navigate directly if already logged in. 
  3. Scroll down and select Security Configurations from the left pane.
  4. From the list of configurations, look up for the Job bookmark encryption mode column. If the value is set to “DISABLED”, the encryption is disabled for the configuration.
  5. Repeat steps 3 to 4 for all the configurations you want to investigate.

Steps for Remediation

Recreate Glue security configurations and enable job bookmark encryption.

  1. Log In to your AWS Console.
  2. Open the AWS Glue Console. You can use this link (https://console.aws.amazon.com/glue) to navigate directly if already logged in. 
  3. Scroll down and select Security Configurations from the left pane.
  4. From the list of configurations, look up for the Job bookmark encryption mode column. If the value is set to “DISABLED”, the encryption is disabled for the configuration. Select the configuration with the radio button beside it and click on Delete.
  5. Confirm the delete operation when asked in the Popup.
  6. From the Home Screen, click on Add Security Configuration. Type the same name you deleted before.
  7. Expand the Advanced properties option. Check the Job Bookmark Encryption option.
  8. Choose an AWS KMS key or type the key ARN.
  9. Click on Finish after completing the configuration. 
  10. Repeat steps 3 to 9 for all the vulnerable configurations.