Description:
Glue development endpoints are used to run Glue jobs locally. By default, data written to S3 by Glue development endpoints is not encrypted. This means that if an attacker gains access to the S3 bucket, they could potentially read the data.

Rationale:
Encrypting data written to S3 by Glue development endpoints helps to protect the data from unauthorized access. This is important because the data written to S3 by Glue development endpoints may contain sensitive information, such as passwords, credit card numbers, or other personal identifiable information.

Impact:
Enabling S3 encryption for Glue development endpoints can help to protect the data from unauthorized access. This can help to reduce the risk of data breaches and protect the privacy of users.

Default Value:
By default, S3 encryption is not enabled for Glue development endpoints.

Pre-Requisite:
To enable S3 encryption for Glue development endpoints, you must have the following:

  • Access to the AWS Management Console
  • The ability to modify Glue development endpoints
  • An AWS KMS key

Remediation Steps:
To remediate a Glue development endpoint that does not have S3 encryption enabled, you can follow these steps:

  • Go to the AWS Management Console and open the Glue console.
  • In the navigation pane, select "Development endpoints."
  • Select the Glue development endpoint that you want to enable S3 encryption for.
  • Click "Edit."
  • In the "Security configuration" section, select the checkbox next to "Enable S3 encryption."
  • Select the AWS KMS key that you want to use for encryption.
  • Click "Save."

Test Plan:
To test whether S3 encryption is enabled for a Glue development endpoint, you can follow these steps:

  • Go to the AWS Management Console and open the Glue console.
  • In the navigation pane, select "Development endpoints."
  • Select the Glue development endpoint that you want to test.
  • Check the "S3 encryption" column. If the value is "Enabled," then S3 encryption is enabled for the endpoint.

AWS CLI Process:
To enable S3 encryption for a Glue development endpoint using the AWS CLI, you can follow these steps:

  • Install the AWS CLI.
  • Configure the AWS CLI with your AWS credentials.
  • Run the following command to enable S3 encryption for the specified Glue development endpoint:
aws glue update-dev-endpoint --endpoint-name <endpoint-name> --s3-encryption-enabled

AWS GUI Process:
To enable S3 encryption for a Glue development endpoint using the AWS GUI, you can follow these steps:

  • Open the AWS GUI.
  • In the navigation pane, select "Glue."
  • Select the Glue development endpoint that you want to enable S3 encryption for.
  • Click the "Security configuration" tab.
  • Select the checkbox next to "Enable S3 encryption."
  • Select the AWS KMS key that you want to use for encryption.
  • Click "Save."

Backout Plan:
To back out of enabling S3 encryption for a Glue development endpoint, you can follow these steps:

  • Go to the AWS Management Console and open the Glue console.
  • In the navigation pane, select "Development endpoints."
  • Select the Glue development endpoint that you want to disable S3 encryption for.
  • Click "Edit."
  • In the "Security configuration" section, clear the checkbox next to "Enable S3 encryption."
  • Click "Save."

Note:

  • If you disable S3 encryption for a Glue development endpoint, data written to S3 by the endpoint will not be encrypted.
  • You can also use the AWS KMS console to enable S3 encryption for Glue development endpoints.


Reference: 

          https://docs.aws.amazon.com/glue/latest/dg/dev-endpoints.html

          https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html