Glue Data Catalog Connection Password Encryption

Overview

This check ensures that AWS Glue Data Catalog connection passwords are encrypted using an AWS KMS key. When you create connections in Glue (for example, to databases like RDS or Redshift), those connections often store passwords. This setting encrypts those stored passwords so they cannot be read in plain text.

Risk

If connection password encryption is not enabled:

• Credential exposure: Passwords stored in connection properties can be read in plain text by anyone with access to the Data Catalog or API responses
• Unauthorized database access: Attackers who obtain these credentials can access your linked databases
• Lateral movement: Compromised credentials can be used to move between environments and access additional systems
• Compliance violations: Many regulatory frameworks require encryption of credentials at rest

Remediation Steps

Prerequisites

You need:

• Access to the AWS Console with permissions to modify Glue settings, or AWS CLI configured with appropriate credentials
• An existing AWS KMS key (symmetric) to use for encryption, or permission to create one

Creating a KMS key if you don't have one

AWS Console:

1. Go to KMS > Customer managed keys
2. Click Create key
3. Choose Symmetric and Encrypt and decrypt
4. Give it an alias like glue-connection-passwords
5. Set key administrators and usage permissions as needed

AWS CLI:

# Create the key
aws kms create-key \
    --description "KMS key for Glue connection password encryption" \
    --region us-east-1

# Note the KeyId from the output, then create an alias
aws kms create-alias \
    --alias-name alias/glue-connection-passwords \
    --target-key-id <KeyId> \
    --region us-east-1

AWS Console Method

1. Open the AWS Glue Console
2. In the left navigation, click Data Catalog > Catalog settings (or just Settings in some console versions)
3. Scroll to find Connection password encryption (under Encryption settings)
4. Check the box to Encrypt connection passwords
5. Select your KMS key from the dropdown (choose an existing customer-managed key)
6. Click Save

That's it! New and updated connections will now have their passwords encrypted.

AWS CLI (optional)

Run the following command to enable connection password encryption:

aws glue put-data-catalog-encryption-settings \
    --region us-east-1 \
    --data-catalog-encryption-settings '{
        "ConnectionPasswordEncryption": {
            "ReturnConnectionPasswordEncrypted": true,
            "AwsKmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/your-key-id"
        }
    }'

Replace:

• 123456789012 with your AWS account ID
• your-key-id with your KMS key ID or alias (e.g., alias/glue-connection-passwords)

Note: If you also want to enable encryption at rest for the entire catalog metadata (a separate but related setting), you can combine both:

aws glue put-data-catalog-encryption-settings \
    --region us-east-1 \
    --data-catalog-encryption-settings '{
        "EncryptionAtRest": {
            "CatalogEncryptionMode": "SSE-KMS",
            "SseAwsKmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/your-key-id"
        },
        "ConnectionPasswordEncryption": {
            "ReturnConnectionPasswordEncrypted": true,
            "AwsKmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/your-key-id"
        }
    }'

CloudFormation (optional)

Use the AWS::Glue::DataCatalogEncryptionSettings resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Glue Data Catalog connection password encryption

Parameters:
  KmsKeyArn:
    Type: String
    Description: ARN of the KMS key for connection password encryption
    AllowedPattern: arn:aws:kms:[a-z0-9-]+:[0-9]+:key/[a-f0-9-]+
    ConstraintDescription: Must be a valid KMS key ARN

Resources:
  GlueDataCatalogEncryption:
    Type: AWS::Glue::DataCatalogEncryptionSettings
    Properties:
      CatalogId: !Ref AWS::AccountId
      DataCatalogEncryptionSettings:
        ConnectionPasswordEncryption:
          ReturnConnectionPasswordEncrypted: true
          KmsKeyId: !Ref KmsKeyArn

Outputs:
  CatalogId:
    Description: The Data Catalog ID with encryption enabled
    Value: !Ref AWS::AccountId

Deploy with:

aws cloudformation deploy \
    --template-file glue-encryption.yaml \
    --stack-name glue-catalog-encryption \
    --parameter-overrides KmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/your-key-id \
    --region us-east-1

Terraform (optional)

Use the aws_glue_data_catalog_encryption_settings resource:

# Get current AWS account ID
data "aws_caller_identity" "current" {}

# Reference an existing KMS key (or create one)
data "aws_kms_key" "glue_encryption" {
  key_id = "alias/glue-connection-passwords"
}

# Enable connection password encryption
resource "aws_glue_data_catalog_encryption_settings" "this" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      return_connection_password_encrypted = true
      aws_kms_key_id                        = data.aws_kms_key.glue_encryption.arn
    }
  }
}

To also create a KMS key:

resource "aws_kms_key" "glue_encryption" {
  description             = "KMS key for Glue connection password encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true

  tags = {
    Purpose = "Glue Data Catalog Encryption"
  }
}

resource "aws_kms_alias" "glue_encryption" {
  name          = "alias/glue-connection-passwords"
  target_key_id = aws_kms_key.glue_encryption.key_id
}

resource "aws_glue_data_catalog_encryption_settings" "this" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      return_connection_password_encrypted = true
      aws_kms_key_id                        = aws_kms_key.glue_encryption.arn
    }
  }
}

Verification

After enabling encryption, verify the setting is active:

1. Go to the Glue Console Settings
2. Confirm Encrypt connection passwords shows as enabled with your KMS key

CLI verification

aws glue get-data-catalog-encryption-settings --region us-east-1

Expected output should include:

{
    "DataCatalogEncryptionSettings": {
        "ConnectionPasswordEncryption": {
            "ReturnConnectionPasswordEncrypted": true,
            "AwsKmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/..."
        }
    }
}

You can also re-run the Prowler check:

prowler aws --check glue_data_catalogs_connection_passwords_encryption_enabled --region us-east-1

Additional Resources

• AWS Glue Data Catalog Encryption Settings
• AWS Glue Security Configuration
• AWS KMS Key Management Best Practices
• Prowler Check Documentation

Notes

• Existing connections: Enabling this setting encrypts passwords for new connections and when existing connections are updated. Existing connections are not automatically re-encrypted until they are modified.
• KMS key access: Ensure that IAM roles and users who need to use Glue connections have kms:Decrypt permission on the KMS key. Otherwise, they will not be able to use connections that have encrypted passwords.
• Key rotation: Consider enabling automatic key rotation on your KMS key for additional security.
• One setting per catalog: Each AWS account has one Data Catalog per region. This setting applies to all connections in that catalog.
• No downtime: Enabling this setting does not interrupt running Glue jobs or crawlers.