Skip to content
Ask AI about this
Help improve this page

Glue data catalog metadata encryption should be enabled

The Glue Data Catalog stores metadata about databases, tables, columns, partitions, and connection properties. This metadata often reveals sensitive details about your data architecture, including column names like ssn, credit_card_number, or patient_id, database naming conventions, and S3 paths containing environment or account identifiers. Leaving it unencrypted means anyone with access to the underlying storage layer can read your full schema inventory.

Encrypting catalog metadata with KMS also enables key-policy-based access control and CloudTrail logging of decryption events, giving you an additional authorization boundary beyond IAM permissions on the Glue API itself.

Retrofit consideration

Enabling encryption on an existing Data Catalog is a one-time setting change. Existing metadata is encrypted in place from that point forward. The catch is permissions: every IAM role or service that reads the catalog now needs kms:Decrypt on the chosen KMS key. Miss one, and Glue jobs, Athena queries, or EMR clusters start throwing AccessDeniedException without any other warning.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_glue_data_catalog_encryption_settings.

resource "aws_glue_data_catalog_encryption_settings" "this" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }
  }
}

What this control checks

The control validates aws_glue_data_catalog_encryption_settings. It checks that the data_catalog_encryption_settings block contains an encryption_at_rest block with catalog_encryption_mode set to "SSE-KMS". Setting it to "DISABLED" or omitting the block fails the check. When catalog_encryption_mode is "SSE-KMS", sse_aws_kms_key_id must reference a valid KMS key ARN; without one, the API call itself will fail. There is only one aws_glue_data_catalog_encryption_settings resource per account per region, so this is an account-wide setting rather than a per-table configuration.

Common pitfalls

  • Key policy missing Glue service principal

    Glue jobs and crawlers will throw AccessDeniedException against catalog metadata if the key policy doesn't grant kms:Decrypt and kms:GenerateDataKey to the Glue service. Add "Service": "glue.amazonaws.com" to the key policy, or grant those permissions explicitly to the IAM roles your jobs run as.

  • Cross-service access breakage

    Athena, EMR, Redshift Spectrum, and Lake Formation all read the Glue Data Catalog. Once SSE-KMS is on, every service principal and IAM role calling GetTable, GetDatabase, or GetPartitions needs kms:Decrypt on the key. Catalogs that were previously unencrypted make this easy to overlook until something breaks in a pipeline you didn't expect to touch.

  • Confusing metadata encryption with connection password encryption

    aws_glue_data_catalog_encryption_settings has two separate blocks: encryption_at_rest for metadata and connection_password_encryption for JDBC connection passwords. This control only validates encryption_at_rest. Configuring only connection_password_encryption won't satisfy it.

  • Singleton resource causes Terraform import issues

    If encryption was enabled via the console or CLI before Terraform managed it, terraform apply will fail with a conflict error. Run terraform import aws_glue_data_catalog_encryption_settings.example <catalog_id> (the catalog ID is typically your AWS account ID) to bring the existing resource under Terraform state before making any changes.

Audit evidence

The primary evidence is aws glue get-data-catalog-encryption-settings showing CatalogEncryptionMode as SSE-KMS with a populated SseAwsKmsKeyId. If the glue-catalog-encryption-enabled Config rule is active, its evaluation history shows continuous enforcement over time. CloudTrail logs for PutDataCatalogEncryptionSettings document when encryption was enabled and by whom.

Supporting evidence includes the KMS key policy showing that Glue service principals and the relevant IAM roles have kms:Decrypt and kms:GenerateDataKey, plus key rotation status for the referenced key.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: glue_data_catalog_encryption_settings_metadata_encryption_enabled

  • Checkov Check: CKV_AWS_94

  • Powerpipe Control: aws_compliance.control.glue_data_catalog_encryption_settings_metadata_encryption_enabled

  • Prowler Check: glue_data_catalogs_metadata_encryption_enabled

  • KICS Query: 01d50b14-e933-4c99-b314-6d08cd37ad35

Last reviewed: 2026-03-09