Glue Data Catalog encryption is not enabled
Description
This examines the resource aws_glue_data_catalog_encryption_settings and checks that encryption is set up. The properties encrypted_at_rest and connection_encrypted in the blocks connection_password_encryption and encryption_at_rest are examined.
Code Example
go
resource "aws_glue_data_catalog_encryption_settings" "example" {
...
+ data_catalog_encryption_settings {
+ connection_password_encryption {
+ aws_kms_key_id = aws_kms_key.glue.arn
+ return_connection_password_encrypted = true
+ }
+ encryption_at_rest {
+ catalog_encryption_mode = "SSE-KMS"
+ sse_aws_kms_key_id = aws_kms_key.glue.arn
+ }
+ }
...
}Remediation
AWS Console
TBA
CLI Command === Fix - Buildtime
Terraform
- Resource aws_glue_data_catalog_encryption_settings
- Arguments data_catalog_encryption_settings\connection_password_encryption and data_catalog_encryption_settings\encryption_at_rest blocks
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0147 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_94 |