For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-glue-security-configuration-encryption-disabled.md. A documentation index is available at /llms.txt.

Glue security configuration encryption disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-glue-security-configuration-encryption-disabled

Provider: AWS

Platform: Terraform

Severity: High

Category: Encryption

Learn More

Description

AWS Glue Security Configuration requires proper encryption settings for all three components (CloudWatch, job bookmarks, and S3) with valid KMS key ARNs to ensure comprehensive data protection. When any of these components lacks proper encryption configuration or is missing the required KMS key ARN, it creates security vulnerabilities that could expose sensitive data. The impact of this misconfiguration includes potential unauthorized access to data, compliance violations, and increased risk of data breaches.

Secure configuration example:

encryption_configuration {
  cloudwatch_encryption {
    cloudwatch_encryption_mode = "SSE-KMS"
    kms_key_arn = data.aws_kms_key.example.arn
  }
  job_bookmarks_encryption {
    job_bookmarks_encryption_mode = "CSE-KMS"
    kms_key_arn = data.aws_kms_key.example.arn
  }
  s3_encryption {
    s3_encryption_mode = "SSE-KMS"
    kms_key_arn = data.aws_kms_key.example.arn
  }
}

Compliant Code Examples

resource "aws_glue_security_configuration" "negative1" {
  name = "example"

  encryption_configuration {
    cloudwatch_encryption {
      cloudwatch_encryption_mode = "SSE-KMS"
      kms_key_arn = data.aws_kms_key.example.arn
    }

    job_bookmarks_encryption {
      job_bookmarks_encryption_mode = "CSE-KMS"
      kms_key_arn = data.aws_kms_key.example.arn
    }

    s3_encryption {
      kms_key_arn        = data.aws_kms_key.example.arn
      s3_encryption_mode = "SSE-KMS"
    }
  }
}

Non-Compliant Code Examples

resource "aws_glue_security_configuration" "positive1" {
  name = "example"

  encryption_configuration {
    cloudwatch_encryption {
      cloudwatch_encryption_mode = "SSE-KMS"
    }

    job_bookmarks_encryption {
      job_bookmarks_encryption_mode = "CSE-KMS"
      kms_key_arn = data.aws_kms_key.example.arn
    }

    s3_encryption {
      kms_key_arn        = data.aws_kms_key.example.arn
      s3_encryption_mode = "SSE-KMS"
    }
  }
}

resource "aws_glue_security_configuration" "positive2" {
  name = "example"

  encryption_configuration {
    cloudwatch_encryption {
      cloudwatch_encryption_mode = "SSE-KMS"
      kms_key_arn = data.aws_kms_key.example.arn
    }

    job_bookmarks_encryption {
      job_bookmarks_encryption_mode = "DISABLED"
      kms_key_arn = data.aws_kms_key.example.arn
    }

    s3_encryption {
      kms_key_arn        = data.aws_kms_key.example.arn
      s3_encryption_mode = "SSE-KMS"
    }
  }
}

resource "aws_glue_security_configuration" "positive2" {
  name = "example"

  encryption_configuration {
    cloudwatch_encryption {
      cloudwatch_encryption_mode = "SSE-KMS"
      kms_key_arn = data.aws_kms_key.example.arn
    }

    job_bookmarks_encryption {
      kms_key_arn = data.aws_kms_key.example.arn
    }

    s3_encryption {
      kms_key_arn        = data.aws_kms_key.example.arn
      s3_encryption_mode = "SSE-KMS"
    }
  }
}