Description:
AWS Glue ETL jobs can write logs to Amazon CloudWatch. Enabling encryption for CloudWatch logs helps to protect them from unauthorized access.
Rationale:
CloudWatch logs can be accessed by anyone who has the CloudWatch logs permissions. If these logs are not encrypted, they could be easily compromised, which could lead to unauthorized access to sensitive data.
Impact:
If CloudWatch logs are not encrypted, then they could be easily compromised. This could lead to unauthorized access to sensitive data, such as customerPII, financial data, and intellectual property.
Default Value:
AWS Glue does not enable encryption for CloudWatch logs by default.
Pre-requisites:
- You must have an AWS account and be logged in to the AWS Management Console.
- You must have the AWS CLI installed and configured.
Remediation Steps:
- Sign in to the AWS Management Console.
- Go to the AWS Glue console.
- Click Jobs in the left navigation pane.
- Select the job that you want to enable encryption for.
- On the Job details page, click the Configuration tab.
- In the CloudWatch logs encryption section, select the Enable CloudWatch logs encryption checkbox.
- Select the AWS KMS key that you want to use for encryption.
- Click Save.
Test Plan:
- Verify that the Enable CloudWatch logs encryption checkbox is selected.
- Verify that the AWS KMS key that you selected is the correct key.
- Try to access the CloudWatch logs for the job using the AWS CLI.
- If you are unable to access the logs, then they are encrypted.
Implementation Plan:
AWS CLI Process:
- Run the following command to enable encryption for CloudWatch logs:
aws glue create-job --region us-east-1 --job-name my-job --enable-cloudwatch-logs-encryption true --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Using AWS GUI:
- Go to the AWS Glue console.
- Click Jobs in the left navigation pane.
- Select the job that you want to enable encryption for.
- On the Job details page, click the Configuration tab.
- In the CloudWatch logs encryption section, select the Enable CloudWatch logs encryption checkbox.
- Select the AWS KMS key that you want to use for encryption.
- Click Save.
Backout Plan:
- Sign in to the AWS Management Console.
- Go to the AWS Glue console.
- Click Jobs in the left navigation pane.
- Select the job that you want to disable encryption for.
- On the Job details page, click the Configuration tab.
- In the CloudWatch logs encryption section, unselect the Enable CloudWatch logs encryption checkbox.
- Click Save.
Note:
- This policy only applies to CloudWatch logs for AWS Glue ETL jobs. Other CloudWatch logs may not be encrypted.
- You can also enable encryption for CloudWatch logs using the AWS Glue API.
- For more information, see the AWS Glue documentation on encrypting CloudWatch logs: https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html.
Reference:
https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html
https://docs.aws.amazon.com/kms/latest/developerguide/