Ensure CloudWatch log encryption is enabled for AWS Glue Crawlers

MEDIUM

Description

CloudWatch logs written by AWS Glue can be encrypted. Encryption is considered best practice and can help protect sensitive data. Encryption is also often required by compliance regulations.

Remediation

In AWS Console -

Sign in to AWS Console and go to the Glue Service dashboard.
In the navigation panel select security configurations.
Select the security configuration to edit.
Check if CWL encryption mode feature status is set to ENABLED.

In Terraform -

In the aws_glue_security_configuration resource, set 'encryption_configuration.cloudwatch_encryption.cloudwatch_encryption_mode' to 'ENABLED'.

References:
https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_security_configuration#encryption_configuration

Policy Details

Rule Reference ID: AC_AWS_0129

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_glue_security_configuration

Resource Category: Analytics

Resource Type: Glue

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001

Detections