ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for glue service (#9258)

Browse Source 
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2025-12-15 12:07:11 +01:00
committed by GitHub
parent b4ce01afd4
commit ab475bafc3
13 changed files with 222 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
prowler/CHANGELOG.md
View File

@@ -9,11 +9,17 @@ All notable changes to the **Prowler SDK** are documented in this file.
- `privilege-escalation` and `ec2-imdsv1` categories for AWS checks [(#9536)](https://github.com/prowler-cloud/prowler/pull/9536)
- Supported IaC formats and scanner documentation for the IaC provider [(#9553)](https://github.com/prowler-cloud/prowler/pull/9553)
### Changed
- Update AWS Glue service metadata to new format [(#9258)](https://github.com/prowler-cloud/prowler/pull/9258)
---
## [5.15.1] (Prowler UNRELEASED)
### Fixed
- Fix false negative in AWS `apigateway_restapi_logging_enabled` check by refining stage logging evaluation to ensure logging level is not set to "OFF" [(#9304)](https://github.com/prowler-cloud/prowler/pull/9304)
- Fix typo `trustboundaries` category to `trust-boundaries` [(#9536)](https://github.com/prowler-cloud/prowler/pull/9536)
---
## [5.15.0] (Prowler v5.15.0)

28
prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.metadata.json
View File

@@ -1,28 +1,34 @@
{
"Provider": "aws",
"CheckID": "glue_data_catalogs_connection_passwords_encryption_enabled",
"CheckTitle": "Check if Glue data catalog settings have encrypt connection password enabled.",
"CheckTitle": "Glue data catalog connection password is encrypted with a KMS key",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Other",
"Description": "Check if Glue data catalog settings have encrypt connection password enabled.",
"Risk": "If not enabled sensitive information at rest is not protected.",
"Description": "**AWS Glue Data Catalog** settings for **connection password encryption** are evaluated to confirm an AWS KMS key is configured to encrypt passwords stored in connection properties.",
"Risk": "Unencrypted connection passwords can be read from the catalog or responses, letting attackers or over-privileged users obtain database credentials. This jeopardizes confidentiality of linked data stores, enables unauthorized modifications, and can facilitate lateral movement across environments.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/aws-glue-api-jobs-security.html",
"https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html"
],
"Remediation": {
"Code": {
"CLI": "aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings ConnectionPasswordEncryption={ReturnConnectionPasswordEncrypted=True,AwsKmsKeyId=<ksm_key_arn>",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_37#cloudformation",
"Other": "",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_37#terraform"
"CLI": "aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings '{\"ConnectionPasswordEncryption\":{\"ReturnConnectionPasswordEncrypted\":true,\"AwsKmsKeyId\":\"<kms_key_arn>\"}}'",
"NativeIaC": "```yaml\n# CloudFormation: enable Glue Data Catalog connection password encryption\nResources:\n <example_resource_name>:\n Type: AWS::Glue::DataCatalogEncryptionSettings\n Properties:\n DataCatalogEncryptionSettings:\n ConnectionPasswordEncryption:\n ReturnConnectionPasswordEncrypted: true # Critical: encrypts connection passwords\n KmsKeyId: <kms_key_arn> # Critical: KMS key used for encryption\n```",
"Other": "1. In the AWS Console, go to AWS Glue\n2. Click Settings (left menu)\n3. Under Data catalog settings, check Encrypt connection passwords\n4. Select your KMS key (symmetric CMK)\n5. Click Save",
"Terraform": "```hcl\n# Enable Glue Data Catalog connection password encryption\nresource \"aws_glue_data_catalog_encryption_settings\" \"<example_resource_name>\" {\n data_catalog_encryption_settings {\n # Critical: enables password encryption with a KMS key\n connection_password_encryption {\n return_connection_password_encrypted = true\n aws_kms_key_id = \"<kms_key_arn>\"\n }\n\n # Required block for this resource; keep minimal\n encryption_at_rest {\n catalog_encryption_mode = \"DISABLED\"\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "On the AWS Glue console, you can enable this option on the Data catalog settings page.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html"
"Text": "Enable **connection password encryption** in the Data Catalog with a customer-managed KMS key.\n- Apply **least privilege** to the KMS key and Glue roles\n- Prefer keeping responses encrypted (`ReturnConnectionPasswordEncrypted`)\n- Rotate keys and monitor access for **defense in depth**",
"Url": "https://hub.prowler.com/check/glue_data_catalogs_connection_passwords_encryption_enabled"
}
},
"Categories": [

27
prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.metadata.json
View File

@@ -1,28 +1,35 @@
{
"Provider": "aws",
"CheckID": "glue_data_catalogs_metadata_encryption_enabled",
"CheckTitle": "Check if Glue data catalog settings have metadata encryption enabled.",
"CheckTitle": "Glue Data Catalog metadata is encrypted with KMS",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"Description": "Check if Glue data catalog settings have metadata encryption enabled.",
"Risk": "If not enabled sensitive information at rest is not protected.",
"Description": "**AWS Glue Data Catalog** metadata is encrypted at rest when catalog settings use **SSE-KMS** with a KMS key.\n\nCatalogs that do not configure `SSE-KMS` for metadata are considered unencrypted.",
"Risk": "Unencrypted catalog metadata exposes schemas, partitions, and data locations, reducing **confidentiality**.\n\nAdversaries or over-privileged users can conduct **reconnaissance** and plan lateral movement; tampering with definitions can corrupt queries and results, impacting **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html",
"https://docs.amazonaws.cn/en_us/athena/latest/ug/encryption.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/data-catalog-encryption-at-rest-with-cmk.html",
"https://support.icompaas.com/support/solutions/articles/62000233381-ensure-glue-data-catalogs-are-not-publicly-accessible-"
],
"Remediation": {
"Code": {
"CLI": "aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings EncryptionAtRest={CatalogEncryptionMode=SSE-KMS,SseAwsKmsKeyId=<ksm_key_arn>",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_37#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/data-catalog-encryption-at-rest.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_37#terraform"
"CLI": "aws glue put-data-catalog-encryption-settings --data-catalog-encryption-settings '{\"EncryptionAtRest\":{\"CatalogEncryptionMode\":\"SSE-KMS\"}}'",
"NativeIaC": "```yaml\n# Enable Glue Data Catalog metadata encryption with KMS\nResources:\n <example_resource_name>:\n Type: AWS::Glue::DataCatalogEncryptionSettings\n Properties:\n DataCatalogEncryptionSettings:\n EncryptionAtRest:\n CatalogEncryptionMode: SSE-KMS # Critical: enables KMS encryption for catalog metadata\n```",
"Other": "1. In the AWS Console, go to AWS Glue\n2. Open Data Catalog > Settings\n3. Under Security configuration and encryption, check Metadata encryption\n4. Leave the default AWS managed key selected (or choose a KMS key)\n5. Click Save",
"Terraform": "```hcl\n# Enable Glue Data Catalog metadata encryption with KMS\nresource \"aws_glue_data_catalog_encryption_settings\" \"<example_resource_name>\" {\n data_catalog_encryption_settings {\n encryption_at_rest {\n catalog_encryption_mode = \"SSE-KMS\" # Critical: turns on KMS encryption for catalog metadata\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html"
"Text": "Enable metadata encryption with **`SSE-KMS`**, preferably using a **customer-managed KMS key** for control and rotation.\n\nApply **least privilege** to KMS and catalog access, restrict who can change settings, and monitor key usage. Use **defense in depth** by encrypting related analytics assets consistently.",
"Url": "https://hub.prowler.com/check/glue_data_catalogs_metadata_encryption_enabled"
}
},
"Categories": [

29
prowler/providers/aws/services/glue/glue_data_catalogs_not_publicly_accessible/glue_data_catalogs_not_publicly_accessible.metadata.json
View File

@@ -1,28 +1,35 @@
{
"Provider": "aws",
"CheckID": "glue_data_catalogs_not_publicly_accessible",
"CheckTitle": "Ensure Glue Data Catalogs are not publicly accessible.",
"CheckTitle": "Glue Data Catalog is not publicly accessible via its resource policy",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Initial Access",
"Effects/Data Exposure"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:glue:region:account-id:catalog",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsGlueDataCatalog",
"Description": "This control checks whether Glue Data Catalogs are not publicly accessible via resource policies.",
"Risk": "Publicly accessible Glue Data Catalogs can expose sensitive data schema and metadata, leading to potential security risks.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/security_iam_service-with-iam.html?icmpid=docs_console_unmapped#security_iam_service-with-iam-resource-based-policies",
"ResourceType": "Other",
"Description": "**AWS Glue Data Catalog** resource policies are assessed for configurations that expose the catalog to anyone, such as `Principal: *`, broad resource scopes, or permissive conditions.\n\nThe finding highlights catalogs made public through overly permissive resource-based access.",
"Risk": "Public catalog access lets unauthorized actors enumerate schemas, S3 locations, and connection metadata, weakening **confidentiality**. If writes are exposed, attackers can alter databases/tables, corrupt lineage, and disrupt jobs and queries, harming **integrity** and **availability**, and enabling lateral movement to data stores.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/security_iam_service-with-iam.html?icmpid=docs_console_unmapped#security_iam_service-with-iam-resource-based-policies",
"https://docs.aws.amazon.com/glue/latest/dg/cross-account-access.html"
],
"Remediation": {
"Code": {
"CLI": "aws glue delete-resource-policy",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"Other": "1. Sign in to the AWS Console and open the Glue service\n2. In the left menu, click Settings\n3. Under Data catalog settings > Permissions, click Edit resource policy\n4. Remove any statement that has Principal set to * (public) or AWS: \"*\"; or delete the entire policy\n5. Click Save",
"Terraform": "```hcl\nresource \"aws_glue_resource_policy\" \"<example_resource_name>\" {\n policy = jsonencode({\n Version = \"2012-10-17\",\n Statement = [\n {\n Effect = \"Allow\",\n Principal = { AWS = \"arn:aws:iam::<ACCOUNT_ID>:root\" } # Critical: restricts to your account, removing any public (*) access\n Action = \"glue:*\",\n Resource = \"arn:aws:glue:<REGION>:<ACCOUNT_ID>:catalog\"\n }\n ]\n })\n}\n```"
},
"Recommendation": {
"Text": "Review Glue Data Catalog policies and ensure they are not publicly accessible. Implement the Principle of Least Privilege.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/security_iam_service-with-iam.html?icmpid=docs_console_unmapped#security_iam_service-with-iam-resource-based-policies"
"Text": "Enforce **least privilege** on catalog resource policies:\n- Avoid `Principal: *` and wildcards\n- Grant only required actions to explicit principals\n- Prefer identity-based access or Lake Formation for sharing\n- Limit scope with precise ARNs/conditions and monitor changes for **defense in depth**",
"Url": "https://hub.prowler.com/check/glue_data_catalogs_not_publicly_accessible"
}
},
"Categories": [

30
prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.metadata.json
View File

@@ -1,28 +1,34 @@
{
"Provider": "aws",
"CheckID": "glue_database_connections_ssl_enabled",
"CheckTitle": "Check if Glue database connection has SSL connection enabled.",
"CheckTitle": "Glue connection has SSL enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Other",
"Description": "Check if Glue database connection has SSL connection enabled.",
"Risk": "Data exfiltration could happen if information is not protected in transit.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html",
"Description": "**AWS Glue connections** require **TLS/SSL** for JDBC when the `JDBC_ENFORCE_SSL` property is set to `true`.\n\nThis evaluates connection definitions to confirm SSL is enforced for traffic to external data stores.",
"Risk": "Absent TLS enforcement, JDBC traffic-including credentials, queries, and results-can be **intercepted or modified** in transit.\n\nThis enables:\n- Confidentiality loss via sniffing/MITM\n- Integrity tampering of queries/results\n- Credential theft leading to broader database access",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html",
"https://support.icompaas.com/support/solutions/articles/62000233690-ensure-glue-connections-have-ssl-enabled"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws glue update-connection --name <example_resource_name> --connection-input '{\"Name\":\"<example_resource_name>\",\"ConnectionType\":\"JDBC\",\"ConnectionProperties\":{\"JDBC_CONNECTION_URL\":\"<example_jdbc_url>\",\"JDBC_ENFORCE_SSL\":\"true\"}}'",
"NativeIaC": "```yaml\n# CloudFormation: Enable SSL on a Glue JDBC connection\nResources:\n <example_resource_name>:\n Type: AWS::Glue::Connection\n Properties:\n ConnectionInput:\n ConnectionType: JDBC\n ConnectionProperties:\n JDBC_CONNECTION_URL: \"<example_jdbc_url>\"\n JDBC_ENFORCE_SSL: \"true\" # Critical: forces SSL for the JDBC connection\n```",
"Other": "1. Open the AWS Console and go to AWS Glue > Data Catalog > Connections\n2. Select the connection and click Edit\n3. In Connection properties (Advanced properties), add key JDBC_ENFORCE_SSL with value true (or check Require SSL)\n4. Click Save",
"Terraform": "```hcl\n# Terraform: Enable SSL on a Glue JDBC connection\nresource \"aws_glue_connection\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n connection_type = \"JDBC\"\n\n connection_properties = {\n JDBC_CONNECTION_URL = \"<example_jdbc_url>\"\n JDBC_ENFORCE_SSL = \"true\" # Critical: forces SSL for the JDBC connection\n }\n}\n```"
},
"Recommendation": {
"Text": "Configure encryption settings for crawlers, ETL jobs and development endpoints using security configurations in AWS Glue.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html"
"Text": "Enforce **TLS** on all Glue connections (set `JDBC_ENFORCE_SSL=true`) and require encryption on target databases.\n\nApply **defense in depth**: validate certificates, restrict network exposure, prefer private connectivity, and use **least-privilege** credentials with rotation.",
"Url": "https://hub.prowler.com/check/glue_database_connections_ssl_enabled"
}
},
"Categories": [

28
prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.metadata.json
View File

@@ -1,28 +1,34 @@
{
"Provider": "aws",
"CheckID": "glue_development_endpoints_cloudwatch_logs_encryption_enabled",
"CheckTitle": "Check if Glue development endpoints have CloudWatch logs encryption enabled.",
"CheckTitle": "Glue development endpoint has CloudWatch Logs encryption enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"Description": "Check if Glue development endpoints have CloudWatch logs encryption enabled.",
"Risk": "If not enabled sensitive information at rest is not protected.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"Description": "**AWS Glue development endpoints** are assessed for an associated **security configuration** that enables **CloudWatch Logs encryption**. It confirms the endpoint references a configuration and that log encryption is not `DISABLED`.",
"Risk": "Unencrypted Glue logs erode **confidentiality**: credentials, connection strings, and data samples may be readable to unintended principals, enabling **lateral movement**.\nLack of KMS-backed encryption weakens **auditability** and **separation of duties**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html"
],
"Remediation": {
"Code": {
"CLI": "aws glue create-security-configuration --name cw-encrypted-sec-config --encryption-configuration {'CloudWatchEncryption': [{'CloudWatchEncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Glue Security Configuration with CloudWatch Logs encryption enabled\nResources:\n <example_resource_name>:\n Type: AWS::Glue::SecurityConfiguration\n Properties:\n Name: <example_resource_name>\n EncryptionConfiguration:\n CloudWatchEncryption:\n CloudWatchEncryptionMode: SSE-KMS # Critical: enables CloudWatch Logs encryption\n KmsKeyArn: <kms_key_arn> # Critical: KMS key used for encrypting Glue logs\n```",
"Other": "1. In the AWS Console, go to Glue > Security configurations > Add security configuration\n2. Enter a name and enable CloudWatch Logs encryption\n3. Select a KMS key (or enter its ARN) and click Create\n4. Go to Glue > Dev endpoints\n5. Create a new Dev endpoint (or delete and recreate the existing one) and select the new Security configuration\n6. Create the endpoint to apply the encryption",
"Terraform": "```hcl\n# Glue Security Configuration with CloudWatch Logs encryption enabled\nresource \"aws_glue_security_configuration\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n encryption_configuration {\n cloudwatch_encryption {\n cloudwatch_encryption_mode = \"SSE-KMS\" # Critical: enables CloudWatch Logs encryption\n kms_key_arn = \"<kms_key_arn>\" # Critical: KMS key used for encrypting Glue logs\n }\n\n # Required blocks for valid config (kept minimal)\n job_bookmarks_encryption { job_bookmarks_encryption_mode = \"DISABLED\" }\n s3_encryption { s3_encryption_mode = \"DISABLED\" }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable Encryption in the Security configurations.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
"Text": "Attach a **security configuration** to all development endpoints with **CloudWatch Logs encryption** enabled using a tightly scoped **KMS key**.\nApply **least privilege** to key and log access, rotate keys, and standardize configs via IaC to enforce **defense in depth**.",
"Url": "https://hub.prowler.com/check/glue_development_endpoints_cloudwatch_logs_encryption_enabled"
}
},
"Categories": [

29
prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.metadata.json
View File

@@ -1,28 +1,33 @@
{
"Provider": "aws",
"CheckID": "glue_development_endpoints_job_bookmark_encryption_enabled",
"CheckTitle": "Check if Glue development endpoints have Job bookmark encryption enabled.",
"CheckTitle": "Glue development endpoint has Job Bookmark encryption enabled",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"Description": "Check if Glue development endpoints have Job bookmark encryption enabled.",
"Risk": "If not enabled sensitive information at rest is not protected.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"Description": "**AWS Glue development endpoints** are assessed for an attached **security configuration** where **job bookmark encryption** is enabled. Endpoints lacking a security configuration are also identified.",
"Risk": "Unencrypted job bookmarks stored in S3 can be read or altered, exposing dataset paths, partitions, and processing state. This enables data discovery, state tampering, and replay/skip of workloads, impacting **confidentiality**, **integrity**, and **availability** of ETL pipelines.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/job-bookmark-encryption-enabled.html"
],
"Remediation": {
"Code": {
"CLI": "aws glue create-security-configuration --name jb-encrypted-sec-config --encryption-configuration {'JobBookmarksEncryption': [{'JobBookmarksEncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/job-bookmark-encryption-enabled.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Enable Job Bookmark encryption and attach to the Dev Endpoint\nResources:\n GlueSecurityConfiguration:\n Type: AWS::Glue::SecurityConfiguration\n Properties:\n Name: <example_resource_name>\n EncryptionConfiguration:\n JobBookmarksEncryption:\n JobBookmarksEncryptionMode: CSE-KMS # Critical: enables Job Bookmark encryption\n KmsKeyArn: <example_kms_key_arn> # Critical: KMS key used for Job Bookmark encryption\n\n GlueDevEndpoint:\n Type: AWS::Glue::DevEndpoint\n Properties:\n RoleArn: <example_role_arn>\n SecurityConfiguration: !Ref GlueSecurityConfiguration # Critical: attach the security configuration to the Dev Endpoint\n```",
"Other": "1. In the AWS Console, go to Glue > Security configurations > Add security configuration\n2. Enter a name, then under Advanced settings enable Job bookmark encryption and select a KMS key (or enter its ARN); Save\n3. Go to Glue > Dev endpoints\n4. Create a new Dev endpoint (or recreate the existing one) and set Security configuration to the configuration created in step 2\n5. Create the endpoint to apply the setting",
"Terraform": "```hcl\n# Terraform: Enable Job Bookmark encryption and attach to the Dev Endpoint\nresource \"aws_glue_security_configuration\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n encryption_configuration {\n job_bookmarks_encryption {\n job_bookmarks_encryption_mode = \"CSE-KMS\" # Critical: enables Job Bookmark encryption\n kms_key_arn = \"<example_kms_key_arn>\" # Critical: KMS key used for Job Bookmark encryption\n }\n }\n}\n\nresource \"aws_glue_dev_endpoint\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_role_arn>\"\n security_configuration = aws_glue_security_configuration.<example_resource_name>.name # Critical: attach the security configuration\n}\n```"
},
"Recommendation": {
"Text": "Enable Encryption in the Security configurations.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
"Text": "Attach a **security configuration** to each development endpoint and enable **job bookmark encryption** with a managed KMS key. Apply **least privilege** to S3 and KMS, rotate keys, and align logs and data stores with consistent encryption for **defense in depth**. Regularly audit endpoints for missing or outdated configurations.",
"Url": "https://hub.prowler.com/check/glue_development_endpoints_job_bookmark_encryption_enabled"
}
},
"Categories": [

28
prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.metadata.json
View File

@@ -1,28 +1,34 @@
{
"Provider": "aws",
"CheckID": "glue_development_endpoints_s3_encryption_enabled",
"CheckTitle": "Check if Glue development endpoints have S3 encryption enabled.",
"CheckTitle": "Glue development endpoint has S3 encryption enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"Description": "Check if Glue development endpoints have S3 encryption enabled.",
"Risk": "Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html",
"Description": "**AWS Glue development endpoints** are evaluated for an attached **security configuration** with **S3 encryption**. Endpoints lacking a security configuration, or with `s3_encryption` set to `DISABLED`, are flagged by this check.",
"Risk": "Unencrypted S3 writes from dev endpoints leave ETL outputs, temp data, and scripts readable at rest. A misconfigured bucket or stolen creds can expose sensitive content, harming **confidentiality** and triggering compliance issues.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/s3-encryption-enabled.html",
"https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html"
],
"Remediation": {
"Code": {
"CLI": "aws glue create-security-configuration --name s3-encrypted-sec-config --encryption-configuration {'S3Encryption': [{'S3EncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/s3-encryption-enabled.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Glue Dev Endpoint with S3 encryption via Security Configuration\nResources:\n SecurityConfig:\n Type: AWS::Glue::SecurityConfiguration\n Properties:\n Name: <example_resource_name>\n EncryptionConfiguration:\n S3Encryptions:\n - S3EncryptionMode: SSE-S3 # CRITICAL: enables S3 encryption for the security configuration\n\n DevEndpoint:\n Type: AWS::Glue::DevEndpoint\n Properties:\n EndpointName: <example_resource_name>\n RoleArn: <example_role_arn>\n SecurityConfiguration: !Ref SecurityConfig # CRITICAL: attaches the encrypted security configuration to the dev endpoint\n```",
"Other": "1. In the AWS Console, go to AWS Glue > Security configurations > Create security configuration\n2. Under S3 encryption, select Server-side encryption (SSE-S3) and save\n3. Go to AWS Glue > Development endpoints > Create development endpoint\n4. Fill required fields and set Security configuration to the one created in step 2\n5. Create the endpoint and delete the old endpoint (without encryption) if it exists",
"Terraform": "```hcl\n# Terraform: Glue Dev Endpoint with S3 encryption\nresource \"aws_glue_security_configuration\" \"secure\" {\n name = \"<example_resource_name>\"\n encryption_configuration {\n s3_encryption {\n s3_encryption_mode = \"SSE-S3\" # CRITICAL: enables S3 encryption\n }\n }\n}\n\nresource \"aws_glue_dev_endpoint\" \"dev\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_role_arn>\"\n\n security_configuration = aws_glue_security_configuration.secure.name # CRITICAL: attaches encrypted security configuration\n}\n```"
},
"Recommendation": {
"Text": "Specify AWS KMS keys to use for input and output from S3 and EBS.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html"
"Text": "Attach a **Glue security configuration** to each dev endpoint with **S3 encryption** enabled; prefer `SSE-KMS` with customer-managed keys. Enforce **least privilege** on IAM and KMS key policies, and extend encryption to logs and bookmarks for **defense in depth**.",
"Url": "https://hub.prowler.com/check/glue_development_endpoints_s3_encryption_enabled"
}
},
"Categories": [

35
prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.metadata.json
View File

@@ -1,28 +1,35 @@
{
"Provider": "aws",
"CheckID": "glue_etl_jobs_amazon_s3_encryption_enabled",
"CheckTitle": "Check if Glue ETL Jobs have S3 encryption enabled.",
"CheckTitle": "Glue job has S3 encryption enabled",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"Effects/Data Exposure"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"Severity": "medium",
"ResourceType": "AwsGlueJob",
"Description": "Check if Glue ETL Jobs have S3 encryption enabled.",
"Risk": "If not enabled sensitive information at rest is not protected.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Other",
"Description": "**AWS Glue ETL jobs** are validated to use **Amazon S3 at-rest encryption** (`SSE-S3` or `SSE-KMS`) when writing outputs, either through an attached security configuration or via job arguments. Jobs missing a security configuration or with S3 encryption disabled are identified.",
"Risk": "Storing job outputs in S3 without **at-rest encryption** weakens **confidentiality**. Plaintext objects can be exposed via misconfigured bucket policies, compromised credentials, or media reuse, and lack **KMS key controls**, rotation, and audit trails-hindering incident response and compliance.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/s3-encryption-enabled.html"
],
"Remediation": {
"Code": {
"CLI": "aws glue create-security-configuration --name s3-encrypted-sec-config --encryption-configuration {'S3Encryption': [{'S3EncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/s3-encryption-enabled.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Attach a Security Configuration with S3 encryption to a Glue job\nResources:\n GlueSecurityConfiguration:\n Type: AWS::Glue::SecurityConfiguration\n Properties:\n Name: <example_resource_name>\n EncryptionConfiguration:\n S3Encryptions:\n - S3EncryptionMode: SSE-S3 # CRITICAL: Enables S3 encryption for Glue outputs\n\n GlueJob:\n Type: AWS::Glue::Job\n Properties:\n Name: <example_resource_name>\n Role: <example_role_arn>\n Command:\n Name: glueetl\n ScriptLocation: s3://<example_resource_name>/script.py\n SecurityConfiguration: !Ref GlueSecurityConfiguration # CRITICAL: Applies encrypted security configuration to the job\n```",
"Other": "1. In the AWS Console, go to AWS Glue > Security configurations > Create security configuration\n2. Enable S3 encryption and choose SSE-S3 (or SSE-KMS with your key)\n3. Save the configuration\n4. Go to AWS Glue > Jobs > select your job > Edit\n5. Under Job details, set Security configuration to the encrypted configuration you created\n6. Save the job",
"Terraform": "```hcl\n# Terraform: Attach a Security Configuration with S3 encryption to a Glue job\nresource \"aws_glue_security_configuration\" \"sec\" {\n name = \"<example_resource_name>\"\n\n s3_encryption {\n s3_encryption_mode = \"SSE-S3\" # CRITICAL: Enables S3 encryption for Glue outputs\n }\n}\n\nresource \"aws_glue_job\" \"job\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_role_arn>\"\n\n command {\n script_location = \"s3://<example_resource_name>/script.py\"\n }\n\n security_configuration = aws_glue_security_configuration.sec.name # CRITICAL: Applies encrypted security configuration to the job\n}\n```"
},
"Recommendation": {
"Text": "Provide the encryption properties that are used by crawlers, jobs and development endpoints.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
"Text": "Require **S3 encryption** for all Glue jobs via security configurations, preferring **SSE-KMS**. Apply **least privilege** to KMS keys, restrict key usage and rotate regularly. Enforce defense-in-depth with bucket policies that require encrypted writes, and monitor with key and S3 access logs.",
"Url": "https://hub.prowler.com/check/glue_etl_jobs_amazon_s3_encryption_enabled"
}
},
"Categories": [

31
prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.metadata.json
View File

@@ -1,28 +1,35 @@
{
"Provider": "aws",
"CheckID": "glue_etl_jobs_cloudwatch_logs_encryption_enabled",
"CheckTitle": "Check if Glue ETL Jobs have CloudWatch Logs encryption enabled.",
"CheckTitle": "Glue ETL job has CloudWatch Logs encryption enabled",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsGlueJob",
"Description": "Check if Glue ETL Jobs have CloudWatch Logs encryption enabled.",
"Risk": "If not enabled sensitive information at rest is not protected.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"Description": "**AWS Glue ETL jobs** are evaluated for a **security configuration** with **CloudWatch Logs encryption** (`SSE-KMS`) enabled. Jobs without a security configuration, or with CloudWatch Logs encryption set to `DISABLED`, are highlighted.",
"Risk": "Unencrypted Glue logs weaken **confidentiality**.\n\nLog entries can expose credentials, PII, connection strings, and schema details. Anyone with log storage access can harvest secrets for **lateral movement** and data exfiltration, widening the blast radius of compromises.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html"
],
"Remediation": {
"Code": {
"CLI": "aws glue create-security-configuration --name cw-encrypted-sec-config --encryption-configuration {'CloudWatchEncryption': [{'CloudWatchEncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/cloud-watch-logs-encryption-enabled.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: enable CloudWatch Logs encryption and attach to the job\nResources:\n ExampleSecurityConfiguration:\n Type: AWS::Glue::SecurityConfiguration\n Properties:\n Name: <example_resource_name>\n EncryptionConfiguration:\n CloudWatchEncryption: # Critical: enable CloudWatch Logs encryption for Glue\n CloudWatchEncryptionMode: SSE-KMS # Critical: must not be DISABLED\n KmsKeyArn: <example_kms_key_arn> # Critical: KMS key used for encryption\n\n ExampleJob:\n Type: AWS::Glue::Job\n Properties:\n Role: <example_role_arn>\n Command:\n Name: glueetl\n ScriptLocation: s3://<example_script_path>\n SecurityConfiguration: !Ref ExampleSecurityConfiguration # Critical: attach security configuration to the job\n```",
"Other": "1. In the AWS Glue console, go to Security configurations > Add security configuration\n2. Enter a name, enable CloudWatch Logs encryption, select SSE-KMS, and choose/provide the KMS key ARN; Save\n3. Go to Jobs, select the target job, click Edit\n4. Set Security configuration to the one created in step 2\n5. Save changes",
"Terraform": "```hcl\n# Enable CloudWatch Logs encryption and attach to the Glue job\nresource \"aws_glue_security_configuration\" \"example_resource_name\" {\n name = \"<example_resource_name>\"\n\n encryption_configuration {\n cloudwatch_encryption {\n cloudwatch_encryption_mode = \"SSE-KMS\" # Critical: enable CW Logs encryption\n kms_key_arn = \"<example_kms_key_arn>\" # Critical: KMS key for encryption\n }\n }\n}\n\nresource \"aws_glue_job\" \"example_resource_name\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_role_arn>\"\n\n command {\n name = \"glueetl\"\n script_location = \"s3://<example_script_path>\"\n }\n\n security_configuration = aws_glue_security_configuration.example_resource_name.name # Critical: attach security config to job\n}\n```"
},
"Recommendation": {
"Text": "Enable Encryption in the Security configurations.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
"Text": "Enable **at-rest encryption** for Glue logs via a **security configuration** using customer-managed KMS keys. Apply **least privilege** to KMS and CloudWatch Logs, rotate keys, and require all jobs to attach an approved configuration. Embed this baseline in IaC for consistent, **defense-in-depth** coverage.",
"Url": "https://hub.prowler.com/check/glue_etl_jobs_cloudwatch_logs_encryption_enabled"
}
},
"Categories": [

29
prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.metadata.json
View File

@@ -1,28 +1,33 @@
{
"Provider": "aws",
"CheckID": "glue_etl_jobs_job_bookmark_encryption_enabled",
"CheckTitle": "Check if Glue ETL Jobs have Job bookmark encryption enabled.",
"CheckTitle": "Glue ETL job has Job bookmark encryption enabled",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:certificate/resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsGlueJob",
"Description": "Check if Glue ETL Jobs have Job bookmark encryption enabled.",
"Risk": "If not enabled sensitive information at rest is not protected.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"ResourceType": "Other",
"Description": "**AWS Glue ETL jobs** should link a **security configuration** with **job bookmark encryption** enabled. Bookmark encryption must not be `DISABLED` (e.g., use `CSE-KMS`). Jobs lacking a security configuration are treated as not protecting bookmark metadata.",
"Risk": "Unencrypted **job bookmarks** in S3 expose execution state and data pointers, reducing **confidentiality**. Altered bookmarks can trigger reruns, skips, or reprocessing, harming **integrity**. Missing security configs may also leave logs and temporary objects unencrypted.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/job-bookmark-encryption-enabled.html"
],
"Remediation": {
"Code": {
"CLI": "aws glue create-security-configuration --name jb-encrypted-sec-config --encryption-configuration {'JobBookmarksEncryption': [{'JobBookmarksEncryptionMode': 'SSE-KMS','KmsKeyArn': <kms_arn>}]}",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Glue/job-bookmark-encryption-enabled.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_41#terraform"
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Enable Glue Job bookmark encryption via Security Configuration\nResources:\n <example_resource_name>:\n Type: AWS::Glue::SecurityConfiguration\n Properties:\n Name: <example_resource_name>\n EncryptionConfiguration:\n JobBookmarksEncryption:\n JobBookmarksEncryptionMode: CSE-KMS # CRITICAL: Enables job bookmark encryption\n KmsKeyArn: <example_kms_key_arn> # CRITICAL: KMS key used to encrypt job bookmarks\n```",
"Other": "1. In the AWS Console, go to AWS Glue > Security configurations > Add security configuration\n2. Enter a name and under Advanced settings enable Job bookmark encryption\n3. Select a KMS key (or paste the key ARN) and click Create\n4. Go to AWS Glue > Jobs, select the job, click Edit\n5. Under Advanced properties, set Security configuration to the one created above\n6. Click Save",
"Terraform": "```hcl\n# Terraform: Enable Glue Job bookmark encryption via Security Configuration\nresource \"aws_glue_security_configuration\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n encryption_configuration {\n job_bookmarks_encryption {\n job_bookmarks_encryption_mode = \"CSE-KMS\" # CRITICAL: Enables job bookmark encryption\n kms_key_arn = \"<example_kms_key_arn>\" # CRITICAL: KMS key for bookmarks\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable Encryption in the Security configurations.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html"
"Text": "Attach a **Glue security configuration** to every job and enable **job bookmark encryption** (e.g., `CSE-KMS`). Use **customer-managed KMS keys**, enforce **least privilege** on key usage, and rotate keys. For **defense in depth**, also encrypt **S3 temp data** and **CloudWatch logs** in the same configuration.",
"Url": "https://hub.prowler.com/check/glue_etl_jobs_job_bookmark_encryption_enabled"
}
},
"Categories": [

30
prowler/providers/aws/services/glue/glue_etl_jobs_logging_enabled/glue_etl_jobs_logging_enabled.metadata.json
View File

@@ -1,28 +1,34 @@
{
"Provider": "aws",
"CheckID": "glue_etl_jobs_logging_enabled",
"CheckTitle": "[DEPRECATED] Check if Glue ETL Jobs have logging enabled.",
"CheckTitle": "Glue ETL job has continuous CloudWatch logging enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:glue:region:account-id:job/job-name",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsGlueJob",
"Description": "[DEPRECATED] Ensure that Glue ETL Jobs have CloudWatch logs enabled.",
"Risk": "Without logging enabled, AWS Glue jobs lack visibility into job activities and failures, making it difficult to detect unauthorized access, troubleshoot issues, and ensure compliance. This may result in untracked security incidents or operational issues that affect data processing.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging.html",
"ResourceType": "Other",
"Description": "**AWS Glue jobs** are assessed for **continuous CloudWatch logging**, confirming that runtime events and outputs are sent to **CloudWatch Logs** via the `--enable-continuous-cloudwatch-log` configuration.",
"Risk": "Missing job logs hide execution details and access patterns, enabling undetected credential abuse, data exfiltration in scripts, or tampering with transforms. This reduces confidentiality and integrity, hinders incident response, and can mask failures that impact availability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging.html",
"https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging-enable.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-2"
],
"Remediation": {
"Code": {
"CLI": "aws glue update-job --job-name <job-name> --job-update \"Command={DefaultArguments={--enable-continuous-cloudwatch-log=true}}\"",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-2",
"Terraform": ""
"CLI": "aws glue update-job --job-name <example_resource_name> --job-update '{\"DefaultArguments\":{\"--enable-continuous-cloudwatch-log\":\"true\"}}'",
"NativeIaC": "```yaml\nResources:\n GlueJob:\n Type: AWS::Glue::Job\n Properties:\n Role: \"<example_resource_id>\"\n Command:\n Name: glueetl\n ScriptLocation: \"s3://<example_resource_name>/script.py\"\n DefaultArguments:\n \"--enable-continuous-cloudwatch-log\": \"true\" # Critical: enables continuous CloudWatch logging to pass the check\n```",
"Other": "1. Open the AWS Glue console and go to Jobs\n2. Select the job and click Edit\n3. Expand Advanced properties\n4. Under Continuous logging, check Enable logs in CloudWatch\n5. Save",
"Terraform": "```hcl\nresource \"aws_glue_job\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_resource_id>\"\n\n command {\n script_location = \"s3://<example_resource_name>/script.py\"\n }\n\n default_arguments = {\n \"--enable-continuous-cloudwatch-log\" = \"true\" # Critical: enables continuous CloudWatch logging to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable logging for AWS Glue jobs to capture and monitor job events. Logging allows for better visibility into job performance, error detection, and security oversight.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging-enable.html"
"Text": "Enable **continuous logging** to **CloudWatch Logs** for all Glue jobs. Centralize logs with retention and KMS encryption, restrict read access, and alert on anomalies and failures. Apply **least privilege** to job roles and use **defense in depth** by correlating logs across services.",
"Url": "https://hub.prowler.com/check/glue_etl_jobs_logging_enabled"
}
},
"Categories": [

32
prowler/providers/aws/services/glue/glue_ml_transform_encrypted_at_rest/glue_ml_transform_encrypted_at_rest.metadata.json
View File

@@ -1,26 +1,34 @@
{
"Provider": "aws",
"CheckID": "glue_ml_transform_encrypted_at_rest",
"CheckTitle": "Check if Glue ML Transform Encryption at Rest is Enabled",
"CheckType": [],
"CheckTitle": "Glue ML Transform is encrypted at rest",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
],
"ServiceName": "glue",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:glue:region:account-id:mlTransform/transform-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"Description": "This control checks whether an AWS Glue machine learning transform is encrypted at rest. The control fails if the machine learning transform isn't encrypted at rest.",
"Risk": "Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it.",
"RelatedUrl": "https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html",
"Description": "**AWS Glue ML transforms** are evaluated for **encryption at rest** of transform user data using **KMS keys**. The finding highlights transforms where encryption is not configured.",
"Risk": "Without encryption, **confidentiality** is weakened: transform artifacts, mappings, and sample datasets may be readable via storage access, backups, or cross-account exposure. This can lead to data disclosure and aid **lateral movement** by revealing schemas and data relationships.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-3"
],
"Remediation": {
"Code": {
"CLI": "aws glue update-ml-transform --transform-id <transform-id> --encryption-at-rest {\"Enabled\":true,\"KmsKey\":\"<kms-key-arn>\"}",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/glue-controls.html#glue-3",
"Terraform": ""
"CLI": "aws glue update-ml-transform --transform-id <transform-id> --transform-encryption '{\"MlUserDataEncryption\":{\"MlUserDataEncryptionMode\":\"SSE-KMS\",\"KmsKeyId\":\"<kms-key-arn>\"}}'",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::Glue::MLTransform\n Properties:\n Role: <example_resource_id>\n InputRecordTables:\n - DatabaseName: <example_resource_name>\n TableName: <example_resource_name>\n TransformParameters:\n TransformType: FIND_MATCHES\n FindMatchesParameters:\n PrimaryKeyColumnName: <example_resource_name>\n TransformEncryption:\n MlUserDataEncryption:\n MlUserDataEncryptionMode: SSE-KMS # Critical: enables ML user data encryption at rest\n KmsKeyId: <kms-key-arn> # Critical: KMS key used for encryption\n```",
"Other": "1. In the AWS Management Console, open AWS Glue\n2. Go to Machine learning > Transforms and select the target transform\n3. Click Edit\n4. Under Encryption, enable ML user data encryption\n5. Choose an AWS KMS key\n6. Save changes",
"Terraform": "```hcl\nresource \"aws_glue_ml_transform\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_resource_id>\"\n\n input_record_tables {\n database_name = \"<example_resource_name>\"\n table_name = \"<example_resource_name>\"\n }\n\n parameters {\n transform_type = \"FIND_MATCHES\"\n find_matches_parameters {\n primary_key_column_name = \"<example_resource_name>\"\n }\n }\n\n transform_encryption {\n ml_user_data_encryption {\n ml_user_data_encryption_mode = \"SSE-KMS\" # Critical: enables encryption at rest\n kms_key_id = \"<kms-key-arn>\" # Critical: KMS key used for encryption\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable encryption at rest for Glue ML Transforms using AWS KMS keys.",
"Url": "https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html"
"Text": "Enable **KMS-backed encryption at rest** for all ML transforms and prefer **customer-managed keys**.\n- Apply **least privilege** key policies and rotate keys\n- Enforce **defense in depth** with network and IAM controls\n- Monitor key usage and transform access with audit logs",
"Url": "https://hub.prowler.com/check/glue_ml_transform_encrypted_at_rest"
}
},
"Categories": [