[DEPRECATED] Check if Glue ETL Jobs have logging enabled.
glue_etl_jobs_logging_enabled
[DEPRECATED] Ensure that Glue ETL Jobs have CloudWatch logs enabled.
Risk
Without logging enabled, AWS Glue jobs lack visibility into job activities and failures, making it difficult to detect unauthorized access, troubleshoot issues, and ensure compliance. This may result in untracked security incidents or operational issues that affect data processing.
Run this check with Prowler CLI
prowler aws --checks glue_etl_jobs_logging_enabled
ARN template
arn:partition:glue:region:account-id:job/job-name
Remediation
aws glue update-job --job-name <job-name> --job-update "Command={DefaultArguments={--enable-continuous-cloudwatch-log=true}}"
https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-2
Enable logging for AWS Glue jobs to capture and monitor job events. Logging allows for better visibility into job performance, error detection, and security oversight.
Source Code
Resource Type
AwsGlueJob