Skip to content
Ask AI about this
Help improve this page

Glue jobs bookmarks encryption should be enabled

Glue job bookmarks store processing checkpoints that reveal which data partitions, keys, and offsets your ETL pipelines have consumed. Without encryption, this metadata sits in plaintext and can expose your data catalog structure, S3 paths, and processing patterns to anyone with access to the underlying storage.

CSE-KMS ensures bookmark data is encrypted before it leaves the Glue service boundary, giving you centralized key management and the ability to audit decryption events through CloudTrail.

Retrofit consideration

Glue security configurations are immutable after creation. Changing encryption settings requires a new aws_glue_security_configuration resource, and every affected Glue job must be updated to reference it by name, which means redeploying those jobs.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_glue_security_configuration.

resource "aws_glue_security_configuration" "this" {
  encryption_configuration {
    cloudwatch_encryption {
      cloudwatch_encryption_mode = "SSE-KMS"
      kms_key_arn                = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }

    job_bookmarks_encryption {
      job_bookmarks_encryption_mode = "CSE-KMS"
      kms_key_arn                   = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }

    s3_encryption {
      kms_key_arn        = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
      s3_encryption_mode = "SSE-KMS"
    }
  }
  name = "pofix-abc123"
}

What this control checks

The control checks that aws_glue_security_configuration has an encryption_configuration block containing job_bookmarks_encryption with job_bookmarks_encryption_mode set to "CSE-KMS". Glue supports only "CSE-KMS" and "DISABLED" for bookmark encryption; "DISABLED" or an absent job_bookmarks_encryption block both fail. When mode is "CSE-KMS", kms_key_arn must reference a valid KMS key. Each aws_glue_job must also set security_configuration to the configuration name; without that reference, the encryption setting has no effect on that job's bookmarks.

Common pitfalls

  • Security configuration exists but no jobs reference it

    Creating an aws_glue_security_configuration with encryption enabled does not automatically apply it to jobs. Each aws_glue_job must explicitly set security_configuration to the configuration name. Jobs without this argument run with no security configuration and therefore no bookmark encryption.

  • Immutable security configurations force replacement

    Any change to job_bookmarks_encryption_mode or kms_key_arn forces Terraform to destroy and recreate the aws_glue_security_configuration resource. Since Glue jobs reference the configuration by name, you need to either keep the same name (using create_before_destroy) or update every referencing aws_glue_job in the same apply.

  • KMS key permissions missing for Glue service

    Make sure the KMS key policy grants kms:GenerateDataKey and kms:Decrypt to the IAM role used by your Glue jobs, or to the Glue service principal directly. Without those grants, jobs fail at runtime with access denied errors even though terraform plan shows no issues.

  • Bookmark mode values are limited

    Glue's bookmark encryption only accepts "CSE-KMS" or "DISABLED". Using "SSE-KMS" or "SSE-S3", which are valid in other Glue encryption blocks, in job_bookmarks_encryption_mode produces an API error at apply time.

Audit evidence

Glue security configuration definitions, from Terraform state, the AWS CLI, or the Glue console Security configurations page, show the job_bookmarks_encryption_mode and kms_key_arn in use. CloudTrail CreateSecurityConfiguration and GetSecurityConfiguration events confirm when configurations were created and what settings were applied. KMS key policies, plus GenerateDataKey and Decrypt CloudTrail events tied to Glue, confirm encryption is active at runtime. AWS Config has no managed rule for this check; coverage requires a custom rule.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: glue_job_bookmarks_encryption_enabled

  • Checkov Check: CKV_AWS_99

  • Powerpipe Control: aws_compliance.control.glue_job_bookmarks_encryption_enabled

  • Prowler Checks: glue_development_endpoints_job_bookmark_encryption_enabled, glue_etl_jobs_job_bookmark_encryption_enabled

  • KICS Query: ad5b4e97-2850-4adf-be17-1d293e0b85ee

Last reviewed: 2026-03-09