Skip to content
Ask AI about this
Help improve this page

Glue jobs S3 encryption should be enabled

Glue jobs read and write intermediate results, ETL output, and temp files to S3. Without an explicit S3 encryption mode in the security configuration, encryption behavior for Glue-managed writes isn't enforced at the job level, even if bucket default encryption covers it. The gap matters most when jobs write to buckets outside your direct control, where you can't verify default encryption is configured correctly.

Setting s3_encryption_mode to SSE-S3 or SSE-KMS in the security configuration applies encryption at the source regardless of the destination bucket's defaults. It also pins the keying approach, which matters for access control and key rotation audits.

Retrofit consideration

Existing Glue jobs without a security configuration require creating a new aws_glue_security_configuration resource and updating every aws_glue_job to reference it. Jobs must be stopped and restarted to pick up the change.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_glue_security_configuration.

resource "aws_glue_security_configuration" "this" {
  encryption_configuration {
    cloudwatch_encryption {
      cloudwatch_encryption_mode = "SSE-KMS"
      kms_key_arn                = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }

    job_bookmarks_encryption {
      job_bookmarks_encryption_mode = "CSE-KMS"
      kms_key_arn                   = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }

    s3_encryption {
      kms_key_arn        = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
      s3_encryption_mode = "SSE-KMS"
    }
  }
  name = "pofix-abc123"
}

What this control checks

This control validates two Terraform resources working together. An aws_glue_security_configuration must exist with an encryption_configuration block containing an s3_encryption sub-block where s3_encryption_mode is "SSE-S3" or "SSE-KMS". When "SSE-KMS" is selected, kms_key_arn must also be provided. A value of "DISABLED" or an absent s3_encryption block fails the check.

The aws_glue_job resource must set its security_configuration argument to the name of a passing aws_glue_security_configuration. A job with no security_configuration argument fails, since that provides no encryption guarantee on S3 writes.

Common pitfalls

  • Security configuration not attached to job

    Creating an aws_glue_security_configuration with proper S3 encryption does nothing if aws_glue_job omits the security_configuration argument. The policy checks both resources. Each job must explicitly reference the configuration by name.

  • Using SSE-KMS without specifying kms_key_arn

    Setting s3_encryption_mode to "SSE-KMS" without kms_key_arn typically falls back to the AWS managed key for S3 (alias/aws/s3). That may pass this control, but it will fail policies requiring customer-managed keys for rotation and access audit.

  • Inline encryption_configuration in older Terraform patterns

    Legacy Terraform sometimes defines encryption_configuration with only cloudwatch_encryption or job_bookmarks_encryption, leaving out the s3_encryption sub-block entirely. S3 writes go unencrypted and the control fails.

  • Glue job overriding output path to unencrypted bucket

    The security configuration only covers writes the Glue runtime performs through its managed S3 integration. If a job script calls S3 directly via boto3 without server-side encryption headers, those writes bypass the security configuration entirely and land unencrypted regardless of this setting.

Audit evidence

Config rule evaluation results showing all Glue jobs as COMPLIANT are the primary evidence. Console screenshots of each job's security configuration panel confirming SSE-S3 or SSE-KMS mode also work. For programmatic confirmation, aws glue get-security-configuration --name <config-name> should return S3EncryptionMode set to a non-DISABLED value, and aws glue get-job --job-name <job-name> should show a SecurityConfiguration field pointing to that configuration.

CloudTrail logs for CreateSecurityConfiguration and UpdateJob establish when encryption was first applied and by whom.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: glue_job_s3_encryption_enabled

  • Checkov Checks: CKV_AWS_195, CKV_AWS_99

  • Powerpipe Control: aws_compliance.control.glue_job_s3_encryption_enabled

  • Prowler Check: glue_etl_jobs_amazon_s3_encryption_enabled

  • KICS Query: ad5b4e97-2850-4adf-be17-1d293e0b85ee

Last reviewed: 2026-03-09