Profile Applicability:

  • Level 1

Description:

AWS Glue is a fully managed ETL (Extract, Transform, Load) service that simplifies the process of preparing and loading data for analytics. In AWS Glue, you can define connections to various data sources, such as relational databases, Amazon Redshift, or other services.

For secure communication between AWS Glue and databases, SSL (Secure Sockets Layer) encryption can be enabled to ensure that data transmitted between Glue and the database is encrypted. Enabling SSL ensures that sensitive data is securely transmitted over the network, reducing the risk of interception.

This SOP ensures that AWS Glue database connections have SSL connection enabled, improving security for data transfers.

Rationale:

Enabling SSL for AWS Glue database connections is essential for:

  • Data Security: Ensures that the data transmitted between Glue and the database is encrypted, preventing data breaches and unauthorized access.

  • Compliance: Helps meet compliance standards such as PCI-DSS, HIPAA, and SOC 2, which require encryption of sensitive data in transit.

  • Best Practices: Aligns with security best practices for encrypting data during transmission, especially for sensitive or critical data.

Impact:

Pros:

  • Enhanced Security: SSL encryption ensures that data is securely transmitted and prevents eavesdropping or data interception during transfers.

  • Compliance: Meets data protection and privacy regulations that require encryption in transit.

  • Data Integrity: Ensures that the data transferred between Glue and the database is protected and remains unchanged.

Cons:

  • Performance Overhead: Enabling SSL introduces a slight performance overhead due to encryption and decryption processes. However, this overhead is typically minimal.

  • Configuration Complexity: Requires correct configuration of SSL settings for both Glue and the target database, which may introduce complexity during setup.

Default Value:

By default, SSL is not enabled for AWS Glue database connections. You need to explicitly enable SSL when creating or modifying the connection settings for a database.

Pre-requisite:

  • AWS IAM Permissions:

    • glue:GetConnection

    • glue:UpdateConnection

    • glue:CreateConnection

  • AWS CLI installed and configured.

  • Basic understanding of AWS Glue connections, SSL encryption, and IAM roles.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Glue under Services.

  3. In the AWS Glue Dashboard, go to Connections.

  4. Select the database connection you want to inspect.

  5. In the Connection Details section, check the SSL settings:

    • Ensure that SSL connection is enabled.

    • The Connection Properties should show SSLEnabled=true if SSL is enabled for the database connection.

    • If SSL is not enabled, the property may be absent or set to false.

Using AWS CLI:

To describe the Glue connection and check if SSL is enabled, run:

aws glue get-connection --name <connection-name> --query 'Connection.ConnectionProperties'

  1. In the output, check for the SSLEnabled property:

    • If SSLEnabled is true, SSL is enabled.

    • If SSLEnabled is absent or false, SSL is not enabled.

Example output

{

    "Connection": {

        "Name": "my-db-connection",

        "ConnectionProperties": {

            "SSLEnabled": "true",

            "USERNAME": "myuser",

            "PASSWORD": "mypassword"

        }

    }

}


Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to AWS Glue.

  2. In the AWS Glue Dashboard, go to Connections and select the connection to modify.

  3. In the Connection Details section, enable SSL:

    • Check the box or enable SSL in the Connection Properties for the database connection.

    • For SSL-enabled connections, ensure that SSLEnabled=true.

  4. Save the changes to apply SSL encryption to the connection.

Using AWS CLI:

To enable SSL for an existing connection, run the following command:

aws glue update-connection \

  --name <connection-name> \

  --connection-input '{"ConnectionProperties": {"SSLEnabled": "true"}}'

To verify that SSL is enabled, run:

aws glue get-connection --name <connection-name> --query 'Connection.ConnectionProperties'

  1. Ensure that the SSLEnabled property is set to true in the connection properties.

Backout Plan:

If enabling SSL causes issues (e.g., connectivity problems or job failures):

  1. Identify the affected connection.

To disable SSL encryption, run:

aws glue update-connection \

  --name <connection-name> \

  --connection-input '{"ConnectionProperties": {"SSLEnabled": "false"}}'

  1. Verify that SSL has been disabled and that the connection is functioning correctly.

Note:

  • Certificate Management: If using SSL, ensure that the appropriate SSL certificates are configured and trusted by both the Glue connection and the target database.

  • Database Compatibility: Verify that the target database supports SSL connections. Some databases may require specific configurations for SSL to work correctly.

  • Performance Considerations: Test the performance of the connection after enabling SSL to ensure that it meets the necessary performance benchmarks for your workloads.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.