Control: Glue data catalog encryption should be enabled
Description
This control checks whether Glue data catalog encryption is enabled. This control is non-complaint if data catalog encryption is disabled.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.glue_data_catalog_encryption_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.glue_data_catalog_encryption_enabled --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std -> 'data_catalog_encryption_settings' -> 'connection_password_encryption' ->> 'return_connection_password_encrypted') = 'true' and (attributes_std -> 'data_catalog_encryption_settings' -> 'connection_password_encryption' ->> 'aws_kms_key_id') is not null and (attributes_std -> 'data_catalog_encryption_settings' -> 'encryption_at_rest' ->> 'sse_aws_kms_key_id') is not null and (attributes_std -> 'data_catalog_encryption_settings' -> 'encryption_at_rest' ->> 'catalog_encryption_mode') = 'SSE-KMS' then 'ok' else 'alarm' end status, split_part(address, '.', 2) || case when (attributes_std -> 'data_catalog_encryption_settings' -> 'connection_password_encryption' ->> 'return_connection_password_encrypted') = 'true' and (attributes_std -> 'data_catalog_encryption_settings' -> 'connection_password_encryption' ->> 'aws_kms_key_id') is not null and (attributes_std -> 'data_catalog_encryption_settings' -> 'encryption_at_rest' ->> 'sse_aws_kms_key_id') is not null and (attributes_std -> 'data_catalog_encryption_settings' -> 'encryption_at_rest' ->> 'catalog_encryption_mode') = 'SSE-KMS' then ' encryption enabled' else ' encryption disabled' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_glue_data_catalog_encryption_settings';