Description:
AWS Glue ETL jobs can write data to Amazon S3. Enabling encryption for data written to S3 helps to protect it from unauthorized access.

Rationale:
Data written to S3 can be accessed by anyone who has the S3 bucket's permissions. If this data is not encrypted, it could be easily compromised, which could lead to unauthorized access to sensitive data.

Impact:
If data written to S3 is not encrypted, then it could be easily compromised. This could lead to unauthorized access to sensitive data, such as customerPII, financial data, and intellectual property.

Default Value:
AWS Glue does not enable encryption for data written to S3 by default.

Pre-requisites:

  • You must have an AWS account and be logged in to the AWS Management Console.
  • You must have the AWS CLI installed and configured.


Remediation Steps:

  • Sign in to the AWS Management Console.
  • Go to the AWS Glue console.
  • Click Jobs in the left navigation pane.
  • Select the job that you want to enable encryption for.
  • On the Job details page, click the Configuration tab.
  • In the S3 encryption section, select the Enable S3 encryption checkbox.
  • Select the AWS KMS key that you want to use for encryption.
  • Click Save.


Test Plan:

  • Verify that the Enable S3 encryption checkbox is selected.
  • Verify that the AWS KMS key that you selected is the correct key.
  • Try to access the data that was written to S3 using the AWS CLI.
  • If you are unable to access the data, then it is encrypted.

Implementation Plan:

AWS CLI Process:
Run the following command to enable encryption for data written to S3:

aws glue create-job --region us-east-1 --job-name my-job --enable-s3-encryption true --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

Using AWS GUI:

  • Go to the AWS Glue console.
  • Click Jobs in the left navigation pane.
  • Select the job that you want to enable encryption for.
  • On the Job details page, click the Configuration tab.
  • In the S3 encryption section, select the Enable S3 encryption checkbox.
  • Select the AWS KMS key that you want to use for encryption.
  • Click Save.


Backout Plan:

  • Sign in to the AWS Management Console.
  • Go to the AWS Glue console.
  • Click Jobs in the left navigation pane.
  • Select the job that you want to disable encryption for.
  • On the Job details page, click the Configuration tab.
  • In the S3 encryption section, unselect the Enable S3 encryption checkbox.
  • Click Save.

Note:

  • This policy only applies to data written to Amazon S3 by AWS Glue ETL jobs. Other data written to S3 may not be encrypted.
  • You can also enable encryption for data written to S3 using the AWS Glue API.
  • For more information, see the AWS Glue documentation on encrypting data written to S3: https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html.


Reference:

https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html
https://docs.aws.amazon.com/kms/latest/developerguide/