Profile Applicability:

  • Level 1

Description:

AWS Glue is a fully managed extract, transform, and load (ETL) service that enables the discovery, cataloging, and transformation of data. The AWS Glue Data Catalog is a persistent metadata store that maintains the metadata of your datasets, making it easier to manage, search, and access your data.

One important security feature is the ability to encrypt connection passwords stored in the Glue Data Catalog. This ensures that sensitive information, such as database credentials, is securely encrypted, reducing the risk of unauthorized access.

This SOP ensures that connection passwords stored in the Glue Data Catalog are encrypted using AWS-managed keys (AWS KMS) for secure storage and access control.

Rationale:

Enabling encryption of connection passwords in AWS Glue is crucial for:

  • Protecting Sensitive Information: Ensures that database connection passwords are encrypted, mitigating the risk of unauthorized access.

  • Regulatory Compliance: Helps meet security requirements in standards like PCI-DSS, HIPAA, and SOC 2, which require the encryption of sensitive data.

  • Security Best Practices: Aligns with security best practices for managing credentials, ensuring that passwords are never stored in plaintext.

Impact:

Pros:

  • Enhanced Security: Passwords are securely encrypted, preventing unauthorized access.

  • Compliance: Meets industry standards for the secure management of sensitive information.

  • Reduced Risk: Ensures that no sensitive connection details are exposed in plaintext, minimizing the attack surface.

Cons:

  • Operational Overhead: Requires proper configuration and management of encryption keys, particularly with AWS KMS.

  • Performance: Slight performance overhead when encrypting and decrypting passwords, although this is typically negligible.

Default Value:

By default, AWS Glue does not automatically enable encryption for connection passwords. You need to configure the settings explicitly to ensure that passwords are encrypted using AWS Key Management Service (KMS).

Pre-requisite:

  • AWS IAM Permissions:

    • glue:GetConnection

    • glue:UpdateConnection

    • kms:ListAliases

    • kms:DescribeKey

  • AWS CLI installed and configured.

  • Familiarity with AWS Glue Data Catalog, AWS KMS, and Glue connections.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Glue under Services.

  3. In the AWS Glue Dashboard, go to Connections.

  4. Select the connection that you want to check.

  5. Under Connection details, check the Password encryption settings.

    • If Encrypt Connection Password is enabled, it should indicate that the password is encrypted using KMS.

Using AWS CLI:

To list the connections and check their encryption status, run:

awsglueget-connections--query 'ConnectionList[*].{Name:Name,PasswordEncryption:ConnectionProperties.encryptedPassword}'

  1. The PasswordEncryption property should show the encryption status (enabled or disabled). If enabled, it should show the KMS Key used for encryption.

Example output:

[
    {
        "Name": "my-database-connection",
        "PasswordEncryption": "aws:kms"
    }
]

  1. If the password encryption is not enabled, the PasswordEncryption field will be empty or show None.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Glue.

  3. In the AWS Glue Dashboard, go to Connections and select the connection to modify.

  4. In the Connection details, locate the Password encryption section.

  5. If Password encryption is not enabled, select Encrypt with AWS KMS and choose the appropriate KMS key for encryption.

  6. Save the changes to ensure the connection passwords are encrypted.

Using AWS CLI:

To enable password encryption using AWS KMS for an existing connection, run:

aws glue update-connection \
  --name <connection-name> \
  --connection-input '{"ConnectionProperties": {"encryptedPassword": "aws:kms"}}'

  1. To confirm that the connection password is encrypted, use the get-connections command as mentioned earlier.

Backout Plan:

If enabling password encryption causes issues (e.g., application failures or connectivity problems):

  1. Identify the affected connection.

To disable password encryption, run:

aws glue update-connection \
  --name <connection-name> \
  --connection-input '{"ConnectionProperties": {"encryptedPassword": "None"}}'

  1. Verify that the encryption is disabled and ensure the connection is functional.

Note:

  • KMS Key Management: Ensure that the KMS key used for encryption is properly managed and rotated according to your organization's key management policies.

  • Connection Testing: After enabling password encryption, thoroughly test the connection to ensure that your applications can still authenticate using the encrypted credentials.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.