Skip to main content

Glue Data Catalog Metadata Encryption

Overview

This check verifies that your AWS Glue Data Catalog metadata is encrypted at rest using AWS KMS. The Data Catalog stores metadata about your data sources, tables, schemas, partitions, and connections. Enabling encryption protects this sensitive metadata from unauthorized access.

Risk

When Glue Data Catalog metadata is unencrypted:

  • Sensitive schema exposure: Metadata reveals your database structures, table names, column definitions, and partition layouts
  • Reconnaissance enablement: Attackers or malicious insiders can discover your data organization and plan targeted attacks
  • Data location disclosure: Connection strings and S3 paths stored in the catalog reveal where your actual data resides
  • Compliance violations: Many regulations (HIPAA, PCI-DSS, SOC 2) require encryption of sensitive metadata
  • Integrity risks: Unencrypted metadata may be easier to tamper with, potentially corrupting query results

Remediation Steps

Prerequisites

  • AWS account access with permissions to modify Glue Data Catalog settings and KMS keys
  • An existing KMS key, or permission to create one
Required IAM permissions

To enable encryption on the Glue Data Catalog, you need:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:PutDataCatalogEncryptionSettings",
        "glue:GetDataCatalogEncryptionSettings"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:DescribeKey",
        "kms:CreateGrant",
        "kms:ListGrants"
      ],
      "Resource": "arn:aws:kms:us-east-1:*:key/*"
    }
  ]
}

AWS Console Method

Step 1: Create or identify a KMS key

  1. Open the AWS KMS Console at https://console.aws.amazon.com/kms
  2. Ensure you are in the us-east-1 region (top-right corner)
  3. Click Customer managed keys in the left sidebar
  4. Either select an existing symmetric key, or click Create key:
    • Key type: Symmetric
    • Key usage: Encrypt and decrypt
    • Give it a name like glue-catalog-encryption-key
  5. Copy the Key ARN or Key ID for later use
KMS key policy for Glue

Your KMS key policy must allow Glue to use the key. Add this statement to your key policy:

{
  "Sid": "Allow Glue to use the key",
  "Effect": "Allow",
  "Principal": {
    "Service": "glue.amazonaws.com"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:CallerAccount": "<YOUR_ACCOUNT_ID>",
      "kms:ViaService": "glue.us-east-1.amazonaws.com"
    }
  }
}

Replace <YOUR_ACCOUNT_ID> with your 12-digit AWS account ID.

Step 2: Enable metadata encryption on the Data Catalog

  1. Open the AWS Glue Console at https://console.aws.amazon.com/glue
  2. Ensure you are in the us-east-1 region
  3. In the left sidebar, expand Data Catalog and click Catalog settings
  4. In the Metadata encryption section, check Encrypt your Data Catalog
  5. Select your KMS key from the dropdown (or enter the Key ARN)
  6. Click Save

Encryption will apply to all new metadata written to the catalog. Existing metadata will be encrypted on next modification.

AWS CLI (optional)

Enable metadata encryption

aws glue put-data-catalog-encryption-settings \
  --data-catalog-encryption-settings '{
    "EncryptionAtRest": {
      "CatalogEncryptionMode": "SSE-KMS",
      "SseAwsKmsKeyId": "<YOUR_KMS_KEY_ID>"
    }
  }' \
  --region us-east-1

Replace <YOUR_KMS_KEY_ID> with your KMS key ID or ARN (e.g., arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012).

Enable metadata encryption with AWS-managed Glue key

If you want to use the AWS-managed key (simpler but less control):

aws glue put-data-catalog-encryption-settings \
  --data-catalog-encryption-settings '{
    "EncryptionAtRest": {
      "CatalogEncryptionMode": "SSE-KMS"
    }
  }' \
  --region us-east-1

Check current encryption settings

aws glue get-data-catalog-encryption-settings --region us-east-1
CloudFormation (optional)

This template creates a KMS key and configures Glue Data Catalog encryption.

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Glue Data Catalog metadata encryption with KMS

Resources:
  GlueCatalogKMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: KMS key for Glue Data Catalog metadata encryption
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'
          - Sid: Allow Glue to use the key
            Effect: Allow
            Principal:
              Service: glue.amazonaws.com
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: '*'
            Condition:
              StringEquals:
                kms:CallerAccount: !Ref AWS::AccountId
                kms:ViaService: !Sub 'glue.${AWS::Region}.amazonaws.com'

  GlueCatalogKMSKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/glue-catalog-encryption-key
      TargetKeyId: !Ref GlueCatalogKMSKey

  GlueDataCatalogEncryption:
    Type: AWS::Glue::DataCatalogEncryptionSettings
    Properties:
      CatalogId: !Ref AWS::AccountId
      DataCatalogEncryptionSettings:
        EncryptionAtRest:
          CatalogEncryptionMode: SSE-KMS
          SseAwsKmsKeyId: !Ref GlueCatalogKMSKey

Outputs:
  KMSKeyArn:
    Description: ARN of the KMS key used for Glue catalog encryption
    Value: !GetAtt GlueCatalogKMSKey.Arn

Deploy with:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name glue-catalog-encryption \
  --region us-east-1
Terraform (optional)
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

resource "aws_kms_key" "glue_catalog" {
  description             = "KMS key for Glue Data Catalog metadata encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid       = "Enable IAM User Permissions"
        Effect    = "Allow"
        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
        Action    = "kms:*"
        Resource  = "*"
      },
      {
        Sid       = "Allow Glue to use the key"
        Effect    = "Allow"
        Principal = { Service = "glue.amazonaws.com" }
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:DescribeKey"
        ]
        Resource = "*"
        Condition = {
          StringEquals = {
            "kms:CallerAccount" = data.aws_caller_identity.current.account_id
            "kms:ViaService"    = "glue.${data.aws_region.current.name}.amazonaws.com"
          }
        }
      }
    ]
  })
}

resource "aws_kms_alias" "glue_catalog" {
  name          = "alias/glue-catalog-encryption-key"
  target_key_id = aws_kms_key.glue_catalog.key_id
}

resource "aws_glue_data_catalog_encryption_settings" "encryption" {
  data_catalog_encryption_settings {
    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.glue_catalog.arn
    }
  }
}

output "kms_key_arn" {
  description = "ARN of the KMS key used for Glue catalog encryption"
  value       = aws_kms_key.glue_catalog.arn
}

Deploy with:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify encryption is enabled:

  1. Open the AWS Glue Console at https://console.aws.amazon.com/glue
  2. In the left sidebar, expand Data Catalog and click Catalog settings
  3. Confirm the Metadata encryption section shows encryption is enabled with your KMS key
Verify with AWS CLI
aws glue get-data-catalog-encryption-settings --region us-east-1

A properly encrypted catalog will show output like:

{
  "DataCatalogEncryptionSettings": {
    "EncryptionAtRest": {
      "CatalogEncryptionMode": "SSE-KMS",
      "SseAwsKmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    },
    "ConnectionPasswordEncryption": {
      "ReturnConnectionPasswordEncrypted": false
    }
  }
}

If CatalogEncryptionMode is DISABLED, encryption is not enabled.

Additional Resources

Notes

  • One catalog per account per region: Each AWS account has one Data Catalog per region. Encryption settings apply to the entire catalog.
  • Existing metadata: Encryption applies to new writes. Existing metadata is encrypted when next modified or when you run a catalog update.
  • Key availability: If your KMS key is deleted or disabled, Glue cannot access encrypted catalog metadata. Ensure proper key policies and consider enabling automatic key rotation.
  • Connection password encryption: For additional security, consider also enabling connection password encryption in the same settings. This encrypts passwords stored in Glue connection definitions.
  • Cross-account access: If you share your Data Catalog across accounts, ensure the KMS key policy allows access from those accounts.
  • Cost considerations: Using customer-managed KMS keys incurs charges for key storage and API calls. See AWS KMS Pricing.
  • Cannot disable once enabled: After enabling catalog encryption, you cannot disable it. Plan accordingly before enabling.