Glue Development Endpoint Job Bookmark Encryption Enabled
Overview
This check verifies that your AWS Glue development endpoints have a security configuration attached with job bookmark encryption enabled. Job bookmarks track the state of your ETL jobs, including which data has already been processed. Encrypting them protects sensitive metadata from unauthorized access.
Risk
Without job bookmark encryption, your Glue job state data is stored unencrypted. This creates several security concerns:
- Data exposure: Job bookmarks contain dataset paths, partition information, and processing states that could reveal your data architecture
- State tampering: Attackers could modify bookmarks to force jobs to reprocess data or skip records, potentially corrupting your data pipeline
- Compliance gaps: Regulations like GDPR, HIPAA, and PCI-DSS often require encryption of metadata that describes sensitive data
- Replay attacks: Manipulated bookmarks could cause ETL jobs to replay operations, leading to duplicated data or additional costs
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to manage Glue security configurations and development endpoints
- A KMS key (you can use an existing key or create a new one)
Required IAM permissions (for administrators)
Your IAM user or role needs these permissions:
glue:CreateSecurityConfigurationglue:GetSecurityConfigurationglue:CreateDevEndpointglue:UpdateDevEndpointglue:GetDevEndpointkms:CreateKey(if creating a new key)kms:DescribeKeykms:ListKeys
AWS Console Method
Step 1: Create a Security Configuration
-
Open Glue in the AWS Console
- Go to AWS Glue Console in us-east-1
-
Navigate to Security configurations
- In the left sidebar, scroll down to Data Catalog and click Security configurations
- Click Add security configuration
-
Configure the security settings
- Enter a name like
glue-endpoint-security-config - Under Encryption at rest, find Job bookmark encryption
- Check the box to Enable job bookmark encryption
- Select a KMS key from the dropdown (or create a new one)
- Click Create
- Enter a name like
Step 2: Attach the Security Configuration to Your Development Endpoint
Important: You cannot modify the security configuration of an existing development endpoint. You must create a new endpoint with the security configuration attached.
-
Navigate to Development endpoints
- In the left sidebar under ETL, click Dev endpoints
-
Create a new development endpoint
- Click Add endpoint
- Enter an endpoint name
- Select an IAM role with Glue permissions
- Under Security configuration - optional, select the security configuration you created (
glue-endpoint-security-config) - Configure networking and other settings as needed
- Click Finish
-
Decommission the old endpoint (if applicable)
- If you had an existing endpoint without encryption, delete it after migrating your work to the new endpoint
- Select the old endpoint and click Delete
AWS CLI (optional)
Step 1: Create a Security Configuration
aws glue create-security-configuration \
--name glue-endpoint-security-config \
--encryption-configuration '{
"JobBookmarksEncryption": {
"JobBookmarksEncryptionMode": "CSE-KMS",
"KmsKeyArn": "arn:aws:kms:us-east-1:<your-account-id>:key/<your-key-id>"
}
}' \
--region us-east-1
Replace <your-account-id> and <your-key-id> with your actual values.
Step 2: Create a Development Endpoint with the Security Configuration
aws glue create-dev-endpoint \
--endpoint-name my-secure-endpoint \
--role-arn arn:aws:iam::<your-account-id>:role/<your-glue-role> \
--security-configuration glue-endpoint-security-config \
--number-of-nodes 2 \
--region us-east-1
Step 3: Delete the Old Endpoint (if applicable)
aws glue delete-dev-endpoint \
--endpoint-name <old-endpoint-name> \
--region us-east-1
CloudFormation (optional)
This template creates a KMS key, a Glue security configuration with job bookmark encryption, and a development endpoint:
AWSTemplateFormatVersion: '2010-09-09'
Description: Glue Development Endpoint with Job Bookmark Encryption
Parameters:
EndpointName:
Type: String
Description: Name of the Glue development endpoint
Default: my-secure-endpoint
GlueRoleArn:
Type: String
Description: ARN of the IAM role for the Glue endpoint
SubnetId:
Type: String
Description: Subnet ID for the development endpoint (optional)
Default: ''
SecurityGroupIds:
Type: CommaDelimitedList
Description: Security group IDs for the development endpoint (optional)
Default: ''
Conditions:
HasNetworking: !And
- !Not [!Equals [!Ref SubnetId, '']]
- !Not [!Equals [!Join ['', !Ref SecurityGroupIds], '']]
Resources:
GlueKMSKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for Glue job bookmark encryption
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow Glue Service
Effect: Allow
Principal:
Service: glue.amazonaws.com
Action:
- kms:Encrypt
- kms:Decrypt
- kms:GenerateDataKey
Resource: '*'
GlueKMSKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/glue-job-bookmark-key
TargetKeyId: !Ref GlueKMSKey
GlueSecurityConfiguration:
Type: AWS::Glue::SecurityConfiguration
Properties:
Name: glue-endpoint-security-config
EncryptionConfiguration:
JobBookmarksEncryption:
JobBookmarksEncryptionMode: CSE-KMS
KmsKeyArn: !GetAtt GlueKMSKey.Arn
GlueDevEndpoint:
Type: AWS::Glue::DevEndpoint
Properties:
EndpointName: !Ref EndpointName
RoleArn: !Ref GlueRoleArn
SecurityConfiguration: !Ref GlueSecurityConfiguration
NumberOfNodes: 2
SubnetId: !If [HasNetworking, !Ref SubnetId, !Ref 'AWS::NoValue']
SecurityGroupIds: !If [HasNetworking, !Ref SecurityGroupIds, !Ref 'AWS::NoValue']
Outputs:
SecurityConfigurationName:
Description: Name of the Glue security configuration
Value: !Ref GlueSecurityConfiguration
DevEndpointName:
Description: Name of the Glue development endpoint
Value: !Ref GlueDevEndpoint
KMSKeyArn:
Description: ARN of the KMS key for job bookmark encryption
Value: !GetAtt GlueKMSKey.Arn
Deploy with:
aws cloudformation deploy \
--template-file glue-endpoint-encryption.yaml \
--stack-name glue-endpoint-encryption \
--parameter-overrides \
EndpointName=my-secure-endpoint \
GlueRoleArn=arn:aws:iam::<your-account-id>:role/<your-glue-role> \
--region us-east-1
Terraform (optional)
# Variables
variable "endpoint_name" {
description = "Name of the Glue development endpoint"
type = string
default = "my-secure-endpoint"
}
variable "glue_role_arn" {
description = "ARN of the IAM role for the Glue endpoint"
type = string
}
variable "subnet_id" {
description = "Subnet ID for the development endpoint (optional)"
type = string
default = null
}
variable "security_group_ids" {
description = "Security group IDs for the development endpoint (optional)"
type = list(string)
default = null
}
# Data source for current account
data "aws_caller_identity" "current" {}
# KMS key for job bookmark encryption
resource "aws_kms_key" "glue_bookmark" {
description = "KMS key for Glue job bookmark encryption"
deletion_window_in_days = 30
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Action = "kms:*"
Resource = "*"
},
{
Sid = "Allow Glue Service"
Effect = "Allow"
Principal = {
Service = "glue.amazonaws.com"
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
]
Resource = "*"
}
]
})
}
# KMS key alias
resource "aws_kms_alias" "glue_bookmark" {
name = "alias/glue-job-bookmark-key"
target_key_id = aws_kms_key.glue_bookmark.key_id
}
# Glue security configuration
resource "aws_glue_security_configuration" "main" {
name = "glue-endpoint-security-config"
encryption_configuration {
job_bookmarks_encryption {
job_bookmarks_encryption_mode = "CSE-KMS"
kms_key_arn = aws_kms_key.glue_bookmark.arn
}
}
}
# Glue development endpoint
resource "aws_glue_dev_endpoint" "main" {
name = var.endpoint_name
role_arn = var.glue_role_arn
security_configuration = aws_glue_security_configuration.main.name
number_of_nodes = 2
subnet_id = var.subnet_id
security_group_ids = var.security_group_ids
}
# Outputs
output "security_configuration_name" {
description = "Name of the Glue security configuration"
value = aws_glue_security_configuration.main.name
}
output "dev_endpoint_name" {
description = "Name of the Glue development endpoint"
value = aws_glue_dev_endpoint.main.name
}
output "kms_key_arn" {
description = "ARN of the KMS key for job bookmark encryption"
value = aws_kms_key.glue_bookmark.arn
}
Deploy with:
terraform init
terraform plan -var="endpoint_name=my-secure-endpoint" -var="glue_role_arn=arn:aws:iam::<your-account-id>:role/<your-glue-role>"
terraform apply -var="endpoint_name=my-secure-endpoint" -var="glue_role_arn=arn:aws:iam::<your-account-id>:role/<your-glue-role>"
Verification
After making changes, verify job bookmark encryption is enabled:
-
In the AWS Console:
- Go to Glue > Security configurations
- Click on your security configuration name
- Confirm that Job bookmark encryption shows Enabled with a KMS key
-
Check the development endpoint:
- Go to Glue > Dev endpoints
- Click on your endpoint name
- Verify that Security configuration shows the correct configuration name
CLI verification commands
Check the security configuration:
aws glue get-security-configuration \
--name glue-endpoint-security-config \
--region us-east-1 \
--query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption'
Expected output:
{
"JobBookmarksEncryptionMode": "CSE-KMS",
"KmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
Check the development endpoint:
aws glue get-dev-endpoint \
--endpoint-name my-secure-endpoint \
--region us-east-1 \
--query 'DevEndpoint.SecurityConfiguration'
The output should show your security configuration name.
Additional Resources
- AWS Documentation: Glue Security Configurations
- AWS Documentation: Encryption and Secure Access for AWS Glue
- AWS Documentation: Working with Development Endpoints
- AWS Documentation: AWS KMS Concepts
Notes
- Development endpoints are being deprecated: AWS recommends using AWS Glue interactive sessions instead of development endpoints for new workloads. Consider migrating to interactive sessions, which also support security configurations.
- Cannot modify existing endpoints: You cannot add or change the security configuration of an existing development endpoint. You must create a new endpoint with the desired configuration and delete the old one.
- Endpoint provisioning time: Development endpoints can take 5-10 minutes to provision. Plan accordingly when replacing endpoints.
- Costs: Development endpoints incur charges while running. Remember to delete unused endpoints to avoid unnecessary costs.
- KMS key permissions: The IAM role used by the Glue endpoint must have permission to use the KMS key for encryption/decryption. If jobs fail with KMS errors, check the key policy and the role's permissions.
- CSE-KMS encryption: Job bookmark encryption uses client-side encryption (CSE-KMS), meaning data is encrypted before being stored. This provides an additional layer of security compared to server-side encryption.