AWS Glue security configuration encryption is not enabled

Description

Ensure that AWS Glue has encryption enabled. AWS glue has three possible components that could be encrypted: Cloudwatch, job bookmarks and S3 buckets. This check ensures that each is set correctly.

Code Example

resource "aws_glue_security_configuration" "test" {
  name = "example"
    ...
+ encryption_configuration {
+   cloudwatch_encryption {
+     cloudwatch_encryption_mode = "SSE-KMS"
+     kms_key_arn        = aws_kms_key.example.arn
+   }

+   job_bookmarks_encryption {
+     job_bookmarks_encryption_mode = "CSE-KMS"
+     kms_key_arn        = aws_kms_key.example.arn
+   }

+   s3_encryption {
+     kms_key_arn        = aws_kms_key.example.arn
+     s3_encryption_mode = "SSE-KMS"
+   }
+ }
}

Remediation

AWS Console

TBA === Fix - Buildtime

Terraform

Resource: aws_glue_security_configuration
Arguments: encryption_configuration, job_bookmarks_encryption, s3_encryption

Rule Details

Field	Value
ID	IAC-0152
Severity	HIGH
IaC Type	Cloudformation
Frameworks	CloudFormation, Terraform, TerraformPlan, Serverless
Checkov ID	CKV_AWS_99

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

AWS Glue security configuration encryption is not enabled

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

AWS Glue security configuration encryption is not enabled ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

AWS Glue security configuration encryption is not enabled

Description

Code Example

Remediation

Rule Details

References