Glue Connection SSL Enabled

Overview

This check verifies that AWS Glue JDBC connections enforce TLS/SSL encryption by confirming the JDBC_ENFORCE_SSL property is set to true. Enabling SSL ensures that all data transferred between Glue and your external databases is encrypted in transit.

Risk

When Glue connections do not enforce SSL:

• Data interception: Database credentials, queries, and results travel unencrypted and can be captured by attackers monitoring network traffic
• Man-in-the-middle attacks: Without encryption, attackers can intercept and modify data in transit without detection
• Credential theft: Database usernames and passwords sent in plain text can be stolen and used for unauthorized access
• Compliance violations: Many regulatory frameworks (PCI DSS, HIPAA, SOC 2) require encryption of data in transit

Remediation Steps

Prerequisites

• AWS account access with permissions to modify Glue connections
• The connection must be a JDBC-type connection (this setting applies only to JDBC connections)

Required IAM permissions

To update Glue connections, you need:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:GetConnection",
        "glue:UpdateConnection"
      ],
      "Resource": [
        "arn:aws:glue:us-east-1:*:catalog",
        "arn:aws:glue:us-east-1:*:connection/*"
      ]
    }
  ]
}

AWS Console Method

1. Open the AWS Glue Console at https://console.aws.amazon.com/glue
2. Ensure you are in the us-east-1 region (top-right corner)
3. In the left sidebar, expand Data Catalog and click Connections
4. Select the connection you want to update
5. Click Edit
6. Scroll down to Connection properties (or Advanced properties depending on console version)
7. Add a new property:
   • Key: JDBC_ENFORCE_SSL
   • Value: true
8. Click Save

Repeat for each JDBC connection that needs SSL enforcement.

AWS CLI (optional)

View current connection settings

First, retrieve the current connection configuration:

aws glue get-connection \
  --name <YOUR_CONNECTION_NAME> \
  --region us-east-1

Enable SSL on a JDBC connection

To update a connection and enable SSL enforcement, you must provide the complete connection definition. Here is an example for a MySQL JDBC connection:

aws glue update-connection \
  --name <YOUR_CONNECTION_NAME> \
  --connection-input '{
    "Name": "<YOUR_CONNECTION_NAME>",
    "ConnectionType": "JDBC",
    "ConnectionProperties": {
      "JDBC_CONNECTION_URL": "jdbc:mysql://<YOUR_HOST>:3306/<YOUR_DATABASE>",
      "USERNAME": "<YOUR_USERNAME>",
      "PASSWORD": "<YOUR_PASSWORD>",
      "JDBC_ENFORCE_SSL": "true"
    }
  }' \
  --region us-east-1

Replace:

• <YOUR_CONNECTION_NAME> with your Glue connection name
• <YOUR_HOST> with your database host
• <YOUR_DATABASE> with your database name
• <YOUR_USERNAME> with your database username
• <YOUR_PASSWORD> with your database password

Important: The update-connection command replaces all connection properties. Make sure to include all existing properties from your current connection, not just the new JDBC_ENFORCE_SSL setting.

Example with VPC configuration

If your connection uses a VPC, include the physical connection requirements:

aws glue update-connection \
  --name <YOUR_CONNECTION_NAME> \
  --connection-input '{
    "Name": "<YOUR_CONNECTION_NAME>",
    "ConnectionType": "JDBC",
    "ConnectionProperties": {
      "JDBC_CONNECTION_URL": "jdbc:mysql://<YOUR_HOST>:3306/<YOUR_DATABASE>",
      "USERNAME": "<YOUR_USERNAME>",
      "PASSWORD": "<YOUR_PASSWORD>",
      "JDBC_ENFORCE_SSL": "true"
    },
    "PhysicalConnectionRequirements": {
      "SubnetId": "<YOUR_SUBNET_ID>",
      "SecurityGroupIdList": ["<YOUR_SECURITY_GROUP_ID>"],
      "AvailabilityZone": "us-east-1a"
    }
  }' \
  --region us-east-1

CloudFormation (optional)

This template creates a Glue connection with SSL enforcement enabled.

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Glue JDBC connection with SSL enforcement

Parameters:
  ConnectionName:
    Type: String
    Description: Name of the Glue connection
    Default: my-secure-jdbc-connection
  DatabaseHost:
    Type: String
    Description: Database host endpoint
  DatabasePort:
    Type: String
    Description: Database port
    Default: '3306'
  DatabaseName:
    Type: String
    Description: Database name
  DatabaseUsername:
    Type: String
    Description: Database username
    NoEcho: true
  DatabasePassword:
    Type: String
    Description: Database password
    NoEcho: true
  SubnetId:
    Type: AWS::EC2::Subnet::Id
    Description: Subnet ID for the connection
  SecurityGroupId:
    Type: AWS::EC2::SecurityGroup::Id
    Description: Security group ID for the connection
  AvailabilityZone:
    Type: AWS::EC2::AvailabilityZone::Name
    Description: Availability zone for the connection
    Default: us-east-1a

Resources:
  GlueConnection:
    Type: AWS::Glue::Connection
    Properties:
      CatalogId: !Ref AWS::AccountId
      ConnectionInput:
        Name: !Ref ConnectionName
        Description: Secure JDBC connection with SSL enforcement
        ConnectionType: JDBC
        ConnectionProperties:
          JDBC_CONNECTION_URL: !Sub 'jdbc:mysql://${DatabaseHost}:${DatabasePort}/${DatabaseName}'
          USERNAME: !Ref DatabaseUsername
          PASSWORD: !Ref DatabasePassword
          JDBC_ENFORCE_SSL: 'true'
        PhysicalConnectionRequirements:
          SubnetId: !Ref SubnetId
          SecurityGroupIdList:
            - !Ref SecurityGroupId
          AvailabilityZone: !Ref AvailabilityZone

Outputs:
  ConnectionName:
    Description: Name of the Glue connection
    Value: !Ref ConnectionName

Deploy with:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name glue-secure-connection \
  --parameter-overrides \
    ConnectionName=my-secure-connection \
    DatabaseHost=mydb.example.com \
    DatabaseName=mydb \
    DatabaseUsername=admin \
    DatabasePassword=mypassword \
    SubnetId=subnet-12345678 \
    SecurityGroupId=sg-12345678 \
  --region us-east-1

Terraform (optional)

variable "connection_name" {
  description = "Name of the Glue connection"
  type        = string
  default     = "my-secure-jdbc-connection"
}

variable "database_host" {
  description = "Database host endpoint"
  type        = string
}

variable "database_port" {
  description = "Database port"
  type        = string
  default     = "3306"
}

variable "database_name" {
  description = "Database name"
  type        = string
}

variable "database_username" {
  description = "Database username"
  type        = string
  sensitive   = true
}

variable "database_password" {
  description = "Database password"
  type        = string
  sensitive   = true
}

variable "subnet_id" {
  description = "Subnet ID for the connection"
  type        = string
}

variable "security_group_id" {
  description = "Security group ID for the connection"
  type        = string
}

variable "availability_zone" {
  description = "Availability zone for the connection"
  type        = string
  default     = "us-east-1a"
}

resource "aws_glue_connection" "secure_jdbc" {
  name = var.connection_name

  connection_properties = {
    JDBC_CONNECTION_URL = "jdbc:mysql://${var.database_host}:${var.database_port}/${var.database_name}"
    USERNAME            = var.database_username
    PASSWORD            = var.database_password
    JDBC_ENFORCE_SSL    = "true"
  }

  connection_type = "JDBC"

  physical_connection_requirements {
    subnet_id           = var.subnet_id
    security_group_id_list = [var.security_group_id]
    availability_zone   = var.availability_zone
  }
}

output "connection_name" {
  description = "Name of the Glue connection"
  value       = aws_glue_connection.secure_jdbc.name
}

Deploy with:

terraform init
terraform plan
terraform apply

Verification

After enabling SSL enforcement, verify the setting is applied:

1. Open the AWS Glue Console at https://console.aws.amazon.com/glue
2. Navigate to Data Catalog > Connections
3. Select your connection
4. In the connection details, confirm that JDBC_ENFORCE_SSL is set to true

Verify with AWS CLI

aws glue get-connection \
  --name <YOUR_CONNECTION_NAME> \
  --region us-east-1 \
  --query 'Connection.ConnectionProperties.JDBC_ENFORCE_SSL'

The output should be:

"true"

To see all connection properties:

aws glue get-connection \
  --name <YOUR_CONNECTION_NAME> \
  --region us-east-1 \
  --query 'Connection.ConnectionProperties'

Additional Resources

• AWS Documentation: Glue Encryption in Transit
• AWS Documentation: Glue Connections
• AWS CLI Reference: update-connection
• Terraform: aws_glue_connection
• CloudFormation: AWS::Glue::Connection

Notes

• JDBC connections only: The JDBC_ENFORCE_SSL property only applies to JDBC-type connections. Other connection types (KAFKA, MONGODB, NETWORK) use different SSL configuration methods.
• Database support required: Your target database must support SSL connections. Ensure your database is configured to accept SSL connections before enabling this setting.
• Certificate validation: When SSL is enforced, Glue validates the database server's SSL certificate. If your database uses a self-signed certificate, you may need additional configuration.
• Connection testing: After enabling SSL, test your connection using the Glue console's "Test connection" feature to ensure connectivity still works.
• Existing jobs: Enabling SSL on an existing connection does not require changes to Glue jobs or crawlers that use the connection. They will automatically use SSL on their next run.
• Performance: SSL encryption adds minimal overhead to connection performance. The security benefits far outweigh any performance impact.
• Secrets Manager: For production environments, consider storing database credentials in AWS Secrets Manager instead of directly in connection properties.