Description:
The AWS Glue Data Catalog is a centralized metadata repository for all your data assets across various data sources. Metadata encryption ensures that the data catalog is protected from unauthorized access.

Rationale:
Metadata encryption is important for data security. It helps to protect the data catalog from unauthorized access, which could lead to the disclosure of sensitive data.

Impact:
If metadata encryption is not enabled, then the data catalog could be accessed by unauthorized users. This could lead to the disclosure of sensitive data, such as database credentials, table names, and schema definitions.

Default Value:
AWS Glue does not enable metadata encryption by default.

Pre-requisites:

  • You must have an AWS account and be logged in to the AWS Management Console.
  • You must have the AWS CLI installed and configured.

Remediation Steps:

  • Sign in to the AWS Management Console.
  • Go to the AWS Glue console.
  • Click Settings in the left navigation pane.
  • On the Data catalog settings page, select the Metadata encryption checkbox.
  • Select an AWS KMS key to use for encryption.
  • Click Save.

Test Plan:

  • Verify that the Metadata encryption checkbox is selected.
  • Verify that the AWS KMS key you selected is the correct key.
  • Try to access the data catalog using the AWS CLI.
  • If you are unable to access the data catalog, then metadata encryption is enabled.

AWS CLI Process:

  • Run the following command to enable metadata encryption:
aws glue set-data-catalog-encryption --region us-east-1 --encryption-enabled true --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

Using AWS GUI:

  • Go to the AWS Glue console.
  • Click Settings in the left navigation pane.
  • On the Data catalog settings page, select the Metadata encryption checkbox.
  • Select an AWS KMS key to use for encryption.
  • Click Save.

Backout Plan:

  • Sign in to the AWS Management Console.
  • Go to the AWS Glue console.
  • Click Settings in the left navigation pane.
  • On the Data catalog settings page, unselect the Metadata encryption checkbox.
  • Click Save.

Note:

  • This policy only applies to the AWS Glue Data Catalog. Other AWS services, such as Amazon S3, may have their own encryption settings.
  • You can also enable metadata encryption using the AWS Glue API.
  • For more information, see the AWS Glue documentation on encrypting the data catalog: https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html.

Reference:
https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html
https://docs.aws.amazon.com/kms/latest/developerguide/