Glue Data Catalog Encryption Disabled
- Query id: 01d50b14-e933-4c99-b314-6d08cd37ad35
- Query name: Glue Data Catalog Encryption Disabled
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_glue_data_catalog_encryption_settings" "positive1" {
data_catalog_encryption_settings {
connection_password_encryption {
aws_kms_key_id = aws_kms_key.test.arn
return_connection_password_encrypted = false
}
encryption_at_rest {
catalog_encryption_mode = "SSE-KMS"
sse_aws_kms_key_id = aws_kms_key.test.arn
}
}
}
Positive test num. 2 - tf file
resource "aws_glue_data_catalog_encryption_settings" "positive2" {
data_catalog_encryption_settings {
connection_password_encryption {
return_connection_password_encrypted = true
}
encryption_at_rest {
catalog_encryption_mode = "SSE-KMS"
sse_aws_kms_key_id = aws_kms_key.test.arn
}
}
}
Positive test num. 3 - tf file
resource "aws_glue_data_catalog_encryption_settings" "positive3" {
data_catalog_encryption_settings {
connection_password_encryption {
aws_kms_key_id = aws_kms_key.test.arn
return_connection_password_encrypted = true
}
encryption_at_rest {
catalog_encryption_mode = "DISABLED"
sse_aws_kms_key_id = aws_kms_key.test.arn
}
}
}
Positive test num. 4 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_glue_data_catalog_encryption_settings" "negative1" {
data_catalog_encryption_settings {
connection_password_encryption {
aws_kms_key_id = aws_kms_key.test.arn
return_connection_password_encrypted = true
}
encryption_at_rest {
catalog_encryption_mode = "SSE-KMS"
sse_aws_kms_key_id = aws_kms_key.test.arn
}
}
}