Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: Glue data catalog metadata encryption should be enabled

Description

Ensure Glue data catalog metadata encryption is enabled to protect sensitive information at rest.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.glue_data_catalog_encryption_settings_metadata_encryption_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.glue_data_catalog_encryption_settings_metadata_encryption_enabled --share

SQL

This control uses a named query:

select
  'arn:' || partition || '::' || region || ':' || account_id as resource,
  case
    when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok'
    else 'alarm'
  end as status,
  case
    when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'Glue data catalog metadata encryption is enabled in ' || region || '.'
    else 'Glue data catalog metadata encryption is disabled in ' || region || '.'
  end as reason
  , region, account_id
from
  aws_glue_data_catalog_encryption_settings;

Tags

service = AWS/Glue