Skip to content
Ask AI about this
Help improve this page

Glue jobs CloudWatch logs encryption should be enabled

Glue jobs write execution logs, driver output, and error traces to CloudWatch Logs. These logs can contain connection strings, table schemas, partial data samples, and transformation logic that reveal sensitive business information. Without encryption, anyone with read access to the log group sees this data in plaintext.

Enabling SSE-KMS on CloudWatch logs encrypts that data at rest using a customer-managed or AWS-managed KMS key. You get centralized key rotation, an audit trail via CloudTrail, and the ability to revoke access by modifying key policies.

Retrofit consideration

Each existing Glue job must be updated to reference a security configuration. The security_configuration argument cannot be updated in-place in some cases, so a destroy/recreate cycle may be required. Coordinate with job schedules before making changes.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_glue_security_configuration.

resource "aws_glue_security_configuration" "this" {
  encryption_configuration {
    cloudwatch_encryption {
      cloudwatch_encryption_mode = "SSE-KMS"
      kms_key_arn                = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }

    job_bookmarks_encryption {
      job_bookmarks_encryption_mode = "CSE-KMS"
      kms_key_arn                   = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }

    s3_encryption {
      kms_key_arn        = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
      s3_encryption_mode = "SSE-KMS"
    }
  }
  name = "pofix-abc123"
}

What this control checks

To pass this control, two Terraform resources must be correctly configured. First, an aws_glue_security_configuration resource must include an encryption_configuration block containing a cloud_watch_encryption block where cloud_watch_encryption_mode is set to "SSE-KMS" and kms_key_arn points to a valid KMS key. Second, the aws_glue_job resource must set its security_configuration argument to the name of that security configuration. The job fails if security_configuration is omitted or if the referenced configuration has cloud_watch_encryption_mode set to "DISABLED".

Common pitfalls

  • Security configuration is not updatable in-place

    Changing the name or encryption settings on an aws_glue_security_configuration forces a replacement. If multiple jobs reference the same configuration, Terraform will attempt to destroy and recreate it, which temporarily leaves those jobs without a valid security configuration. Use lifecycle { create_before_destroy = true } or create a new configuration under a different name and update job references separately.

  • Job references configuration by name, not ARN

    The security_configuration argument on aws_glue_job takes a plain string name. If a security configuration is renamed outside Terraform, job references break at runtime with no obvious error. Always use a direct reference like aws_glue_security_configuration.this.name rather than a hardcoded string.

  • KMS key policy must grant Glue and CloudWatch Logs access

    Missing key policy grants cause job startup failures or CloudWatch Logs delivery errors that are hard to trace. The key specified in kms_key_arn needs kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey* granted to both the logs.<region>.amazonaws.com service principal and the Glue service role.

  • Encryption settings are per-security-configuration, not per-job

    A single aws_glue_security_configuration bundles CloudWatch, S3, and job bookmark encryption. If you only need CloudWatch encryption, configuring just the cloud_watch_encryption block is enough; s3_encryption and job_bookmarks_encryption are optional unless you want explicit settings for those data paths.

Audit evidence

An auditor expects to see AWS Config rule evaluation results (custom rule or conformance pack) confirming that all Glue jobs have CloudWatch logs encryption enabled. Supporting evidence includes the output of aws glue get-security-configuration for each referenced configuration, showing CloudWatchEncryption.CloudWatchEncryptionMode as SSE-KMS with a valid KmsKeyArn. The output of aws glue get-job should show a non-empty SecurityConfiguration field for every job.

CloudTrail events for CreateSecurityConfiguration and CreateJob or UpdateJob provide a timeline of when encryption was applied. Screenshots from the Glue console showing security configuration details for each job can supplement automated scan results from tools like Prowler or Steampipe.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: glue_job_cloudwatch_logs_encryption_enabled

  • Checkov Check: CKV_AWS_99

  • Powerpipe Control: aws_compliance.control.glue_job_cloudwatch_logs_encryption_enabled

  • Prowler Check: glue_etl_jobs_cloudwatch_logs_encryption_enabled

  • KICS Query: ad5b4e97-2850-4adf-be17-1d293e0b85ee

Last reviewed: 2026-03-09