turbot/steampipe-mod-aws-compliance

Control: 4 AWS Glue Spark jobs should run on supported versions of AWS Glue

Description

This control checks whether an AWS Glue for Spark job is configured to run on a supported version of AWS Glue. The control fails if the Spark job is configured to run on a version of AWS Glue that's earlier than the minimum supported version.

Running AWS Glue Spark jobs on current versions of AWS Glue can optimize performance, security, and access to the latest features of AWS Glue. It can also help safeguard against security vulnerabilities. For example, a new version might be released to provide security updates, address issues, or introduce new features.

Remediation

For information about migrating a Spark job to a supported version of AWS Glue, see Migrating AWS Glue for Spark jobs in the AWS Glue User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_glue_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_glue_4 --share

SQL

This control uses a named query:

select
arn as resource,
case
when not default_arguments @> '{"--enable-spark-ui": "true"}'::jsonb then 'skip'
when cast(glue_version AS DECIMAL) >= $1 then 'ok'
else 'alarm'
end as status,
case
when not default_arguments @> '{"--enable-spark-ui": "true"}'::jsonb then title || ' is not a spark job.'
else title || ' uses ' || glue_version || ' glue version.'
end as reason
, region, account_id
from
aws_glue_job;

Params

ArgsNameDefaultDescriptionVariable
$1glue_spark_job_supported_version
3
Minimum supported Glue version.

Tags