Glue ETL job has continuous CloudWatch logging enabled
glue_etl_jobs_logging_enabled
AWS Glue jobs are assessed for continuous CloudWatch logging, confirming that runtime events and outputs are sent to CloudWatch Logs via the --enable-continuous-cloudwatch-log configuration.
Risk
Missing job logs hide execution details and access patterns, enabling undetected credential abuse, data exfiltration in scripts, or tampering with transforms. This reduces confidentiality and integrity, hinders incident response, and can mask failures that impact availability.
prowler aws --checks glue_etl_jobs_logging_enabled
Recommendation
Enable continuous logging to CloudWatch Logs for all Glue jobs. Centralize logs with retention and KMS encryption, restrict read access, and alert on anomalies and failures. Apply least privilege to job roles and use defense in depth by correlating logs across services.
Remediation
aws glue update-job --job-name <example_resource_name> --job-update '{"DefaultArguments":{"--enable-continuous-cloudwatch-log":"true"}}'
- Open the AWS Glue console and go to Jobs
- Select the job and click Edit
- Expand Advanced properties
- Under Continuous logging, check Enable logs in CloudWatch
- Save
Source Code
Resource Type
Other