For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-glue-data-catalog-encryption-disabled.md. A documentation index is available at /llms.txt.

Glue Data Catalog encryption disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-glue-data-catalog-encryption-disabled

Provider: AWS

Platform: Terraform

Severity: High

Category: Encryption

Learn More

Description

AWS Glue Data Catalog contains metadata about AWS resources and should be properly encrypted to protect sensitive information. When encryption is disabled for connection passwords or data at rest, it could expose sensitive connection credentials and metadata to unauthorized access, potentially leading to data breaches or unauthorized resource access. Enabling both connection password encryption (with return_connection_password_encrypted set to true) and encryption at rest with SSE-KMS ensures that all sensitive metadata is properly protected with AWS KMS keys.

Example of secure configuration:

resource "aws_glue_data_catalog_encryption_settings" "secure_example" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}

Compliant Code Examples

resource "aws_glue_data_catalog_encryption_settings" "negative1" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}

Non-Compliant Code Examples

resource "aws_glue_data_catalog_encryption_settings" "positive1" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = false
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}

resource "aws_glue_data_catalog_encryption_settings" "positive2" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}

resource "aws_glue_data_catalog_encryption_settings" "positive3" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "DISABLED"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}