Description:
AWS Glue development endpoints can store job bookmarks, which are files that contain information about the state of a job. Enabling encryption for job bookmarks helps to protect them from unauthorized access.
Rationale:
Job bookmarks can contain sensitive information, such as the names of the tables that were processed by a job or the values of the parameters that were passed to a job. If these bookmarks are not encrypted, they could be easily compromised, which could lead to unauthorized access to sensitive data.
Impact:
If job bookmarks are not encrypted, then they could be easily compromised. This could lead to unauthorized access to sensitive data, such as customerPII, financial data, and intellectual property.
Default Value:
AWS Glue does not enable encryption for job bookmarks by default.
Pre-requisites:
- You must have an AWS account and be logged in to the AWS Management Console.
- You must have the AWS CLI installed and configured.
Remediation Steps:
- Sign in to the AWS Management Console.
- Go to the AWS Glue console.
- Click Development Endpoints in the left navigation pane.
- Select the development endpoint that you want to enable encryption for.
- On the Development endpoint details page, click the Configuration tab.
- In the Job bookmark encryption section, select the Enable job bookmark encryption checkbox.
- Select the AWS KMS key that you want to use for encryption.
- Click Save.
Test Plan:
- Verify that the Enable job bookmark encryption checkbox is selected.
- Verify that the AWS KMS key that you selected is the correct key.
- Try to access the job bookmarks for the development endpoint using the AWS CLI.
- If you are unable to access the bookmarks, then they are encrypted.
Implementation Plan:
AWS CLI Process:
- Run the following command to enable encryption for job bookmarks:
aws glue create-development-endpoint --region us-east-1 --endpoint-name my-endpoint --enable-job-bookmark-encryption true --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Using AWS GUI:
- Go to the AWS Glue console.
- Click Development Endpoints in the left navigation pane.
- Select the development endpoint that you want to enable encryption for.
- On the Development endpoint details page, click the Configuration tab.
- In the Job bookmark encryption section, select the Enable job bookmark encryption checkbox.
- Select the AWS KMS key that you want to use for encryption.
- Click Save.
Backout Plan:
- Sign in to the AWS Management Console.
- Go to the AWS Glue console.
- Click Development Endpoints in the left navigation pane.
- Select the development endpoint that you want to disable encryption for.
- On the Development endpoint details page, click the Configuration tab.
- In the Job bookmark encryption section, unselect the Enable job bookmark encryption checkbox.
- Click Save.
Note:
- This policy only applies to job bookmarks for AWS Glue development endpoints. Other job bookmarks may not be encrypted.
- You can also enable encryption for job bookmarks using the AWS Glue API.
- For more information, see the AWS Glue documentation on encrypting job bookmarks: https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html.
Reference:
https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html
https://docs.aws.amazon.com/kms/latest/developerguide/