Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Job Bookmark Encryption Mode

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Glue-005

Ensure that at-rest encryption is enabled for your AWS Glue job bookmarks in order to encrypt the bookmark data before it is sent to Amazon S3 for storage.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

To meet security and compliance requirements, it is highly recommended to enable encryption for your Amazon Glue job bookmark data. The job bookmark encryption mode can be enabled within AWS Glue security configurations (i.e. sets of security properties) that you associate with your AWS Glue jobs.

Audit

To determine if your AWS Glue security configurations have job bookmark encryption mode enabled, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the left navigation panel, under Security, choose Security configurations.

04 Select the security configuration that you want to examine, then click on the resource name (link) to access its configuration details page.

05 On the security configuration details page, check the Job bookmark encryption mode feature status. If the status is set to DISABLED, the selected security configuration is not compliant and the Amazon Glue job bookmark data is not encrypted at rest.

06 Repeat step no. 4 and 5 to verify other Amazon Glue security configurations created in the current region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-security-configurations command (OSX/Linux/UNIX) to retrieve the names of all Amazon Glue security configurations available in the specified AWS region: 

aws glue get-security-configurations
	--region us-east-1
	--output table
	--query 'SecurityConfigurations[*].Name'

02 The command output should return a table with AWS Glue security configuration names: 

-------------------------------
|  GetSecurityConfigurations  |
+-----------------------------+
|  cc-glue-security-config    |
|  cc-security-configuration  |
|  cc-project5-sec-config     |
+-----------------------------+

03 Execute get-security-configuration command (OSX/Linux/UNIX) using the name of the AWS Glue security configuration that you want to examine as identifier and custom query filters to retrieve the Amazon Glue job bookmark encryption mode status: 

aws glue get-security-configuration
	--name cc-glue-security-config
	--region us-east-1
	--query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode'

04 The command output should return the requested configuration information: 

"DISABLED"

If the command output returns "DISABLED", as shown in the example above, the selected security configuration is not compliant, hence the Amazon Glue job bookmark data is not encrypted at rest.

05 Repeat step no. 3 and 4 to check other Amazon Glue security configurations available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable encryption at rest for your AWS Glue job bookmarks, you need to re-create the associated security configurations with the job bookmark encryption mode enabled. To create and configure a new Amazon Glue security configuration, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Glue service dashboard at https://console.aws.amazon.com/glue/.

03 In the left navigation panel, under Security, select Security configurations.

04 Click Add security configuration to start the setup process.

05 On Add security configuration page, perform the following:

  1. In the Security configuration name box, type a unique name for your new Glue security configuration.
  2. Click the Advanced properties tab and select Job bookmark encryption checkbox to enable encryption at-rest for your Amazon Glue job bookmarks, then choose the ARN of the AWS KMS key that you want to use from AWS KMS key dropdown list.
  3. Ensure that S3 encryption and CloudWatch logs encryption settings are enabled, then click Finish to create your new Amazon Glue security configuration.

06 Update the configuration of your existing AWS Glue ETL jobs to make use of the new security configuration created at the previous step.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

Note: Enabling data-at-rest encryption with KMS Customer Master Keys (CMKs) for AWS Glue Data Catalog connection passwords using the AWS API via Command Line Interface (CLI) is not currently supported.

01 Define the security configuration parameters and save the document to a JSON file named sec-config-bookmarks-encrypted.json. Replace "KmsKeyArn" parameter value (highlighted) with the ARN of your own AWS KMS key: 

{
  "JobBookmarksEncryption": {
    "JobBookmarksEncryptionMode": "CSE-KMS",
    "KmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
  },
  "S3Encryption": [
    {
      "S3EncryptionMode": "DISABLED"
    }
  ],
  "CloudWatchEncryption": {
    "CloudWatchEncryptionMode": "DISABLED"
  }
}

02 Run create-security-configuration command (OSX/Linux/UNIX) using the sec-config-bookmarks-encrypted.json file created at the previous step as value for the --encryption-configuration parameter, to create a new Amazon Glue security configuration that has AWS Glue job bookmark encryption mode enabled: 

aws glue create-security-configuration
	--region us-east-1
	--name cc-updated-sec-configuration
	--encryption-configuration file://sec-config-bookmarks-encrypted.json

03 The command output should return the command request metadata: 

{
    "CreatedTimestamp": 1548339022.188,
    "Name": "cc-updated-sec-configuration"
}

04 Update your existing Amazon Glue ETL jobs configuration to make use of the new AWS Glue security configuration created earlier in the process.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire process for other regions.

References

Publication date Jan 17, 2019

Related Glue rules