Skip to content
Ask AI about this
Help improve this page

Glue data catalog connection password encryption should be enabled

Glue Data Catalog connections store credentials for JDBC and other data sources. Without connection password encryption, those passwords sit in plaintext within the catalog metadata store, accessible to anyone with glue:GetConnection permissions. A single overly broad IAM policy can expose database credentials across your entire data pipeline.

Enabling connection password encryption with a KMS key adds a second authorization layer. Even if a principal can read the connection object, they also need kms:Decrypt on the specific key to retrieve the actual password. This separation of duties significantly limits the blast radius of credential exposure.

Retrofit consideration

Enabling connection password encryption on an existing catalog does not retroactively re-encrypt stored passwords. Each existing aws_glue_connection must be updated (or touched via update-connection) to trigger re-encryption with the KMS key. Plan for a connection update pass before considering this control satisfied.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_glue_data_catalog_encryption_settings.

resource "aws_glue_data_catalog_encryption_settings" "this" {
  data_catalog_encryption_settings {
    connection_password_encryption {
      aws_kms_key_id                       = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
      return_connection_password_encrypted = true
    }

    encryption_at_rest {
      catalog_encryption_mode = "SSE-KMS"
      sse_aws_kms_key_id      = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }
  }
}

What this control checks

The control checks aws_glue_data_catalog_encryption_settings. Within data_catalog_encryption_settings, the connection_password_encryption block must set return_connection_password_encrypted to true and supply a valid KMS key ARN in aws_kms_key_id. It fails when return_connection_password_encrypted is false or absent, or when aws_kms_key_id is missing. Because each AWS account has one Data Catalog per region, this resource is a singleton and the setting applies account-wide within that region.

Common pitfalls

  • Missing KMS key policy for Glue service

    Connections fail at runtime if the KMS key referenced by aws_kms_key_id doesn't grant kms:Encrypt and kms:Decrypt to the Glue service principal or the IAM roles your crawlers and jobs use. The encryption setting will pass policy validation while connections are silently broken.

  • Encryption settings are per-region singletons

    The aws_glue_data_catalog_encryption_settings resource is a singleton per account per region. If multiple Terraform stacks manage Glue resources in the same region, only one should own this resource. Splitting ownership across state files causes drift and apply conflicts.

  • Existing connections not automatically re-encrypted

    Turning on return_connection_password_encrypted doesn't touch existing connection passwords. To re-encrypt them, update each aws_glue_connection resource in Terraform or call update-connection via the API. Skip this step and old connections will carry unencrypted passwords while the setting shows compliant.

  • Omitting the encryption_at_rest block

    Passing this control means connection passwords are encrypted, not that the full catalog is. The encryption_at_rest block with catalog_data_encryption_enabled is a separate setting covering catalog object metadata. Auditors checking for full catalog encryption will look at both blocks.

Audit evidence

The primary artifact is aws glue get-data-catalog-encryption-settings output showing ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted: true and a populated AwsKmsKeyId. If AWS Config is deployed, the glue-data-catalog-connection-password-encryption-enabled rule provides continuous compliance evidence without manual CLI checks. Console screenshots of the Glue Data Catalog settings page work as point-in-time proof.

CloudTrail logs for PutDataCatalogEncryptionSettings show when encryption was enabled and by whom, which is what auditors need to establish change history.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: glue_data_catalog_encryption_settings_password_encryption_enabled

  • Checkov Check: CKV_AWS_94

  • Powerpipe Control: aws_compliance.control.glue_data_catalog_encryption_settings_password_encryption_enabled

  • Prowler Check: glue_data_catalogs_connection_passwords_encryption_enabled

Last reviewed: 2026-03-09