Glue Data Catalog Encryption Disabled

  • Query id: 01d50b14-e933-4c99-b314-6d08cd37ad35
  • Query name: Glue Data Catalog Encryption Disabled
  • Platform: Terraform
  • Severity: High
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_glue_data_catalog_encryption_settings" "positive1" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = false
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}
Positive test num. 2 - tf file
resource "aws_glue_data_catalog_encryption_settings" "positive2" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}
Positive test num. 3 - tf file
resource "aws_glue_data_catalog_encryption_settings" "positive3" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "DISABLED"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}

Positive test num. 4 - tf file
resource "aws_glue_data_catalog_encryption_settings" "positive4" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_glue_data_catalog_encryption_settings" "negative1" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = aws_kms_key.test.arn
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = aws_kms_key.test.arn
    }
  }
}