turbot/steampipe-mod-aws-compliance

Control: Glue data catalog metadata encryption should be enabled

Description

Ensure Glue data catalog metadata encryption is enabled to protect sensitive information at rest.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.glue_data_catalog_encryption_settings_metadata_encryption_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.glue_data_catalog_encryption_settings_metadata_encryption_enabled --share

SQL

This control uses a named query:

select
'arn:' || partition || '::' || region || ':' || account_id as resource,
case
when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok'
else 'alarm'
end as status,
case
when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'Glue data catalog metadata encryption is enabled in ' || region || '.'
else 'Glue data catalog metadata encryption is disabled in ' || region || '.'
end as reason
, region, account_id
from
aws_glue_data_catalog_encryption_settings;

Tags