Profile Applicability:

  • Level 1

Description:

AWS Glue is a fully managed ETL (Extract, Transform, Load) service that facilitates the process of preparing and loading data for analytics. When running ETL jobs that read from or write to Amazon S3, it's important to ensure that data stored in S3 is encrypted. S3 encryption helps secure data by ensuring that it is encrypted at rest, preventing unauthorized access to sensitive data.

This SOP ensures that AWS Glue ETL jobs have S3 encryption enabled for both input and output data stored in Amazon S3. Encryption can be achieved using AWS-managed keys (SSE-S3) or KMS-managed keys (SSE-KMS), depending on the level of security required.

Rationale:

Enabling S3 encryption for AWS Glue ETL jobs is critical for:

  • Data Security: Encrypts data stored in Amazon S3 to prevent unauthorized access.

  • Compliance: Ensures compliance with security standards like PCI-DSS, HIPAA, SOC 2, and GDPR, which require encryption of sensitive data.

  • Best Practices: Follows industry best practices for protecting data at rest, ensuring that data is not exposed to unauthorized parties.

Impact:

Pros:

  • Enhanced Data Security: Ensures that sensitive data is encrypted when stored in Amazon S3.

  • Compliance: Helps meet regulatory requirements that mandate encryption of stored data.

  • Data Integrity: Encryption ensures that data in Amazon S3 is protected and remains intact.

Cons:

  • Performance Overhead: Enabling encryption introduces a slight performance overhead for reading and writing data to Amazon S3, though this is typically minimal.

  • Management Overhead: Requires managing encryption keys (e.g., KMS keys) if using SSE-KMS, which could add some complexity.

Default Value:

By default, S3 encryption is not enabled for AWS Glue ETL jobs. You need to explicitly configure the ETL jobs to enable S3 encryption using either SSE-S3 or SSE-KMS.

Pre-requisite:

  • AWS IAM Permissions:

    • glue:DescribeJob

    • glue:UpdateJob

    • s3:GetObject

    • s3:PutObject

    • kms:DescribeKey (if using SSE-KMS)

  • AWS CLI installed and configured.

  • Basic knowledge of AWS Glue ETL jobs, S3 encryption, and KMS.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Glue under Services.

  3. In the AWS Glue Dashboard, go to Jobs and select the ETL job you want to inspect.

  4. In the Job Details page, under Security Configuration, check the Encryption settings for S3:

    • If S3 encryption is enabled, it should display either SSE-S3 or SSE-KMS encryption settings.

    • If S3 encryption is not enabled, the setting will indicate None.

Using AWS CLI:

To describe the ETL job and check if S3 encryption is enabled, run:

aws glue get-job --job-name <job-name> --query 'Job.SecurityConfiguration'

The output should display the SecurityConfiguration used for the ETL job, including any S3 encryption settings. For example:

{
  "SecurityConfiguration": {
    "S3EncryptionMode": "SSE-KMS",
    "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234"
  }
}

  1. If S3EncryptionMode is NONE, then encryption is not enabled.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to AWS Glue.

  2. Go to Jobs and select the ETL job to modify.

  3. In the Security Configuration section, locate the S3 Encryption settings.

  4. Enable S3 encryption:

    • Choose SSE-S3 for simple encryption using AWS-managed keys.

    • Choose SSE-KMS for more granular control over encryption keys using AWS KMS.

  5. If using SSE-KMS, select or create the KMS key you want to use for encryption.

  6. Save the changes to enable encryption for the ETL job.

Using AWS CLI:

To enable S3 encryption for an existing job, run the following command:

aws glue update-job \
  --job-name <job-name> \
 --job-update '{"SecurityConfiguration": {"S3EncryptionMode": "SSE-KMS", "KmsKeyId": "<kms-key-id>"}}'

To verify that the S3 encryption is enabled, run:

aws glue get-job --job-name <job-name> --query 'Job.SecurityConfiguration'

  1. Ensure the S3EncryptionMode is set to either SSE-KMS or SSE-S3, depending on the encryption method chosen.

Backout Plan:

If enabling S3 encryption causes issues (e.g., data access issues or application failures):

  1. Identify the affected ETL job.

To disable S3 encryption, run:

aws glue update-job \

  --job-name <job-name> \

  --job-update '{"SecurityConfiguration": {"S3EncryptionMode": "NONE"}}'

  1. Verify that encryption has been disabled and ensure the job is functioning as expected.

Note :

  • KMS Key Management: If using SSE-KMS, ensure that the KMS key is properly managed and rotated according to your organization’s key management policies.

  • Testing: Always test the ETL job after enabling encryption to ensure that the job can still access and write to the S3 bucket successfully.

  • S3 Bucket Policy: Ensure that the S3 bucket policy allows access to the encrypted objects, especially if using SSE-KMS.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.