Glue Security Configuration Encryption Disabled
- Query id: ad5b4e97-2850-4adf-be17-1d293e0b85ee
- Query name: Glue Security Configuration Encryption Disabled
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
resource "aws_glue_security_configuration" "positive1" {
name = "example"
encryption_configuration {
cloudwatch_encryption {
cloudwatch_encryption_mode = "SSE-KMS"
}
job_bookmarks_encryption {
job_bookmarks_encryption_mode = "CSE-KMS"
kms_key_arn = data.aws_kms_key.example.arn
}
s3_encryption {
kms_key_arn = data.aws_kms_key.example.arn
s3_encryption_mode = "SSE-KMS"
}
}
}
Postitive test num. 2 - tf file
resource "aws_glue_security_configuration" "positive2" {
name = "example"
encryption_configuration {
cloudwatch_encryption {
cloudwatch_encryption_mode = "SSE-KMS"
kms_key_arn = data.aws_kms_key.example.arn
}
job_bookmarks_encryption {
job_bookmarks_encryption_mode = "DISABLED"
kms_key_arn = data.aws_kms_key.example.arn
}
s3_encryption {
kms_key_arn = data.aws_kms_key.example.arn
s3_encryption_mode = "SSE-KMS"
}
}
}
Postitive test num. 3 - tf file
resource "aws_glue_security_configuration" "positive2" {
name = "example"
encryption_configuration {
cloudwatch_encryption {
cloudwatch_encryption_mode = "SSE-KMS"
kms_key_arn = data.aws_kms_key.example.arn
}
job_bookmarks_encryption {
kms_key_arn = data.aws_kms_key.example.arn
}
s3_encryption {
kms_key_arn = data.aws_kms_key.example.arn
s3_encryption_mode = "SSE-KMS"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_glue_security_configuration" "negative1" {
name = "example"
encryption_configuration {
cloudwatch_encryption {
cloudwatch_encryption_mode = "SSE-KMS"
kms_key_arn = data.aws_kms_key.example.arn
}
job_bookmarks_encryption {
job_bookmarks_encryption_mode = "CSE-KMS"
kms_key_arn = data.aws_kms_key.example.arn
}
s3_encryption {
kms_key_arn = data.aws_kms_key.example.arn
s3_encryption_mode = "SSE-KMS"
}
}
}