Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Glue Data Catalog Encrypted With KMS Customer Master Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Glue-002

Ensure that your Amazon Glue Data Catalogs are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default encryption keys used by Glue service when there are no customer keys defined) in order to have a more granular control over data-at-rest encryption/decryption process and meet compliance requirements.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you use your own AWS KMS Customer Master Keys (CMKs) to protect AWS Glue Data Catalog objects and connection passwords, you have full control over who can use the encryption keys to access your AWS Glue data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon Glue Data Catalogs.

Audit

To determine your AWS Glue Data Catalog encryption status and configuration, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the left navigation panel, under Data Catalog, choose Settings.

04 On Data catalog settings page, within Encryption section, check Metadata encryption and Encrypt connection passwords features status:

  1. If these features are disabled, i.e. Encryption Metadata encryption data-at-rest encryption is not enabled for the Amazon Glue Data Catalog available in the selected AWS region, therefore you can follow this conformity rule to enable encryption for your Data Catalog.
  2. If both Metadata encryption and Encrypt connection passwords features are enabled, the encryption is currently enabled for your Amazon Glue Data Catalog. If the KMS master key selected from the AWS KMS key dropdown list starts with aws, (i.e. aws/glue), the key used for Amazon Glue Data Catalog encryption is AWS-managed (i.e. default encryption key made available by AWS when there are no KMS CMKs created).

05 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

Note: Getting encryption status and configuration for Data Catalog connection passwords using the AWS API via Command Line Interface (CLI) is not currently supported.

01 Run get-data-catalog-encryption-settings command (OSX/Linux/UNIX) to describe the encryption-at-rest status for the Glue Data Catalog available within the selected AWS region, i.e. US East (N. Virginia) region: 

aws glue get-data-catalog-encryption-settings
	--region us-east-1
	--query "DataCatalogEncryptionSettings.EncryptionAtRest"

02 The command output should return one of the following configurations:

  1. If the CatalogEncryptionMode configuration attribute value is set to "DISABLED", as shown in the example below, data-at-rest encryption is not enabled for the Amazon Glue Data Catalog objects available in the selected AWS region, therefore you can follow this conformity rule to enable encryption for your Data Catalog: 
    {
    "CatalogEncryptionMode": "DISABLED"
}
  2. If the CatalogEncryptionMode configuration attribute value is set to "SSE-KMS", as shown in the example below, the encryption is enabled for your Amazon Glue Data Catalog: 
    {
    "CatalogEncryptionMode": "SSE-KMS",
    "SseAwsKmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234"
}

03 Run describe-key command (OSX/Linux/UNIX) using the AWS KMS key ARN returned at the previous step as identifier (e.g. "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234") and custom query filters to expose the name of the manager (either "AWS" or "CUSTOMER") for the encryption key used: 

aws aws kms describe-key
	--region us-east-1
	--key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234
	--query 'KeyMetadata.KeyManager'

04 The command output should return the selected key manager name: 

"AWS"

If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the Amazon Glue Data Catalog available within the selected region is encrypted with the default key (i.e. AWS-managed key) instead of a KMS Customer Master Key (CMK).

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire audit process for other regions.

Remediation / Resolution

To encrypt Amazon Glue Data Catalog objects and connection passwords with your own AWS KMS Customer Master Keys (CMKs), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your Glue Data Catalog is available).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the Amazon Glue data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the necessary data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: "Your master key was created successfully. Alias: >cmk-alias<".

12 Once the KMS CMK has been created, navigate to Amazon Glue service dashboard at https://console.aws.amazon.com/glue/.

13 In the left navigation panel, under Data Catalog, choose Settings.

14 On Data catalog settings page, in the Encryption section, perform the following:

  1. For Metadata encryption feature, select the ID of the KMS CMK created earlier from the AWS KMS key dropdown list to enable at-rest encryption for metadata objects stored within the AWS Glue Data Catalog using your own KMS Customer Master Key.
  2. For Encrypt connection passwords, select the same KMS CMK ID from the AWS KMS key dropdown list to enable encryption for Amazon Glue Data Catalog connection passwords using your own KMS Customer Master Key (CMK).
  3. Click Save to apply the changes.

15 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

Note: Enabling data-at-rest encryption with KMS Customer Master Keys (CMKs) for AWS Glue Data Catalog connection passwords using the AWS API via Command Line Interface (CLI) is not currently supported.

01 Define the required IAM policy that enables the selected IAM users and/or roles to administer the new CMK and to encrypt/decrypt Amazon Glue data using the Key Management Service (KMS) API. Create a new policy document called glue-cmk-iam-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details): 

{
  "Version": "2012-10-17",
  "Id": "aws-glue-cmk-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/cc-data-catalog-manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-glue-admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-glue-admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. glue-cmk-iam-policy.json) as command parameter to create the new AWS KMS CMK: 

aws kms create-key
	--region us-east-1
	--description 'KMS CMK for Amazon Glue Data Catalog'
	--policy file://glue-cmk-iam-policy.json

03 The command output should return the new KMS CMK metadata: 

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "12345678-abcd-1234-abcd-12345678abcd",
        "Description": "KMS CMK for Amazon Glue Data Catalog",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517239677.120,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not return an output): 

aws kms create-alias
	--region us-east-1
	--alias-name alias/cc-glue-data-catalog-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd

05 Execute put-data-catalog-encryption-settings command (OSX/Linux/UNIX) to update the security configuration of the Amazon Glue Data Catalog available in the selected AWS region, in order to enable at-rest encryption for metadata objects using the KMS Customer Master Key created at the previous steps, identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd", (the command does not produce an output): 

aws glue put-data-catalog-encryption-settings
	--region us-east-1
	--data-catalog-encryption-settings EncryptionAtRest={CatalogEncryptionMode=SSE-KMS,SseAwsKmsKeyId=arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd}

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 -5 to perform the entire process for other regions.

References

Publication date Nov 29, 2018

Related Glue rules