Description:
The AWS Glue Data Catalog stores connection passwords for various data sources. Enabling encryption for connection passwords helps to protect them from unauthorized access.

Rationale:
Connection passwords are often used to access sensitive data sources, such as databases and file systems. If these passwords are not encrypted, they could be easily compromised, which could lead to unauthorized access to sensitive data.

Impact:
If connection passwords are not encrypted, then they could be easily compromised. This could lead to unauthorized access to sensitive data, such as customerPII, financial data, and intellectual property.

Default Value:
AWS Glue does not enable encryption for connection passwords by default.

Pre-requisites:

  • You must have an AWS account and be logged in to the AWS Management Console.
  • You must have the AWS CLI installed and configured.


Remediation Steps:

  • Sign in to the AWS Management Console.
  • Go to the AWS Glue console.
  • Click Settings in the left navigation pane.
  • On the Data catalog settings page, select the Encrypt connection passwords checkbox.
  • Click Save.


Test Plan:

  • Verify that the Encrypt connection passwords checkbox is selected.
  • Try to access the data catalog using the AWS CLI.
  • If you are unable to access the data catalog, then connection passwords are encrypted.


AWS CLI Process:

  • Run the following command to enable encryption for connection passwords:
aws glue set-data-catalog-encryption --region us-east-1 --encryption-enabled true --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

Using AWS GUI:

  • Go to the AWS Glue console.
  • Click Settings in the left navigation pane.
  • On the Data catalog settings page, select the Encrypt connection passwords checkbox.
  • Click Save.

Backout Plan:

  • Sign in to the AWS Management Console.
  • Go to the AWS Glue console.
  • Click Settings in the left navigation pane.
  • On the Data catalog settings page, unselect the Encrypt connection passwords checkbox.
  • Click Save.


Note:

  • This policy only applies to the AWS Glue Data Catalog. Other AWS services, such as Amazon S3, may have their own encryption settings for connection passwords.
  • You can also enable encryption for connection passwords using the AWS Glue API.
  • For more information, see the AWS Glue documentation on encrypting connection passwords: https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html.

Reference:
https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html 
https://docs.aws.amazon.com/kms/latest/developerguide/