🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: Glue dev endpoints CloudWatch logs encryption should be enabled

Description

Ensure Glue dev endpoints have CloudWatch logs encryption enabled to protect sensitive information at rest.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.glue_dev_endpoint_cloudwatch_logs_encryption_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.glue_dev_endpoint_cloudwatch_logs_encryption_enabled --share

SQL

This control uses a named query:

select
  e.arn as resource,
  case
    when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok'
    else 'alarm'
  end as status,
  case
    when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then e.title || ' CloudWatch logs encryption enabled.'
    else e.title || ' CloudWatch logs encryption disabled.'
  end as reason
  , e.region, e.account_id
from
  aws_glue_dev_endpoint as e
  left join aws_glue_security_configuration as c on e.security_configuration = c.name;

Tags

service = AWS/Glue