Description:
AWS Glue development endpoints can store job bookmarks, which are files that contain information about the state of a job. Enabling encryption for job bookmarks helps to protect them from unauthorized access.

Rationale:
Job bookmarks can contain sensitive information, such as the names of the tables that were processed by a job or the values of the parameters that were passed to a job. If these bookmarks are not encrypted, they could be easily compromised, which could lead to unauthorized access to sensitive data.

Impact:
If job bookmarks are not encrypted, then they could be easily compromised. This could lead to unauthorized access to sensitive data, such as customerPII, financial data, and intellectual property.

Default Value:
AWS Glue does not enable encryption for job bookmarks by default.

Pre-requisites:

  • You must have an AWS account and be logged in to the AWS Management Console.
  • You must have the AWS CLI installed and configured.


Remediation Steps:

  • Sign in to the AWS Management Console.
  • Go to the AWS Glue console.
  • Click Development Endpoints in the left navigation pane.
  • Select the development endpoint that you want to enable encryption for.
  • On the Development endpoint details page, click the Configuration tab.
  • In the Job bookmark encryption section, select the Enable job bookmark encryption checkbox.
  • Select the AWS KMS key that you want to use for encryption.
  • Click Save.


Test Plan:

  • Verify that the Enable job bookmark encryption checkbox is selected.
  • Verify that the AWS KMS key that you selected is the correct key.
  • Try to access the job bookmarks for the development endpoint using the AWS CLI.
  • If you are unable to access the bookmarks, then they are encrypted.

Implementation Plan:

AWS CLI Process:

  • Run the following command to enable encryption for job bookmarks:
aws glue create-development-endpoint --region us-east-1 --endpoint-name my-endpoint --enable-job-bookmark-encryption true --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

Using AWS GUI:

  • Go to the AWS Glue console.
  • Click Development Endpoints in the left navigation pane.
  • Select the development endpoint that you want to enable encryption for.
  • On the Development endpoint details page, click the Configuration tab.
  • In the Job bookmark encryption section, select the Enable job bookmark encryption checkbox.
  • Select the AWS KMS key that you want to use for encryption.
  • Click Save.


Backout Plan:

  • Sign in to the AWS Management Console.
  • Go to the AWS Glue console.
  • Click Development Endpoints in the left navigation pane.
  • Select the development endpoint that you want to disable encryption for.
  • On the Development endpoint details page, click the Configuration tab.
  • In the Job bookmark encryption section, unselect the Enable job bookmark encryption checkbox.
  • Click Save.


Note:

  • This policy only applies to job bookmarks for AWS Glue development endpoints. Other job bookmarks may not be encrypted.
  • You can also enable encryption for job bookmarks using the AWS Glue API.
  • For more information, see the AWS Glue documentation on encrypting job bookmarks: https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html.

Reference:

https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html

https://docs.aws.amazon.com/kms/latest/developerguide/