AWS Glue ML transforms are evaluated for encryption at rest of transform user data using KMS keys. The finding highlights transforms where encryption is not configured.
Risk
Without encryption, confidentiality is weakened: transform artifacts, mappings, and sample datasets may be readable via storage access, backups, or cross-account exposure. This can lead to data disclosure and aid lateral movement by revealing schemas and data relationships.
prowler aws --checks glue_ml_transform_encrypted_at_rest
Recommendation
Enable KMS-backed encryption at rest for all ML transforms and prefer customer-managed keys.
- Apply least privilege key policies and rotate keys
- Enforce defense in depth with network and IAM controls
- Monitor key usage and transform access with audit logs
Remediation
aws glue update-ml-transform --transform-id <transform-id> --transform-encryption '{"MlUserDataEncryption":{"MlUserDataEncryptionMode":"SSE-KMS","KmsKeyId":"<kms-key-arn>"}}'
- In the AWS Management Console, open AWS Glue
- Go to Machine learning > Transforms and select the target transform
- Click Edit
- Under Encryption, enable ML user data encryption
- Choose an AWS KMS key
- Save changes
Source Code
Resource Type
Other