Glue data catalog connection password is encrypted with a KMS key
glue_data_catalogs_connection_passwords_encryption_enabled
AWS Glue Data Catalog settings for connection password encryption are evaluated to confirm an AWS KMS key is configured to encrypt passwords stored in connection properties.
Risk
Unencrypted connection passwords can be read from the catalog or responses, letting attackers or over-privileged users obtain database credentials. This jeopardizes confidentiality of linked data stores, enables unauthorized modifications, and can facilitate lateral movement across environments.
prowler aws --checks glue_data_catalogs_connection_passwords_encryption_enabled
Recommendation
Enable connection password encryption in the Data Catalog with a customer-managed KMS key.
- Apply least privilege to the KMS key and Glue roles
- Prefer keeping responses encrypted (
ReturnConnectionPasswordEncrypted) - Rotate keys and monitor access for defense in depth
Remediation
aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings '{"ConnectionPasswordEncryption":{"ReturnConnectionPasswordEncrypted":true,"AwsKmsKeyId":"<kms_key_arn>"}}'
- In the AWS Console, go to AWS Glue
- Click Settings (left menu)
- Under Data catalog settings, check Encrypt connection passwords
- Select your KMS key (symmetric CMK)
- Click Save
Source Code
Resource Type
Other