AWS Glue
Developer Guide

Encryption at Rest

AWS Glue supports data encryption at rest for Authoring Jobs in AWS Glue and Developing Scripts Using Development Endpoints. You can configure extract, transform, and load (ETL) jobs and development endpoints to use AWS Key Management Service (AWS KMS) keys to write encrypted data at rest. You can also encrypt the metadata stored in the AWS Glue Data Catalog using keys that you manage with AWS KMS. Additionally, you can use AWS KMS keys to encrypt job bookmarks and the logs generated by crawlers and ETL jobs.

As of September 4, 2018, AWS KMS (bring your own key and server-side encryption) for AWS Glue ETL and the AWS Glue Data Catalog is supported.

You can encrypt metadata objects in your AWS Glue Data Catalog in addition to the data written to Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs by jobs, crawlers, and development endpoints. You can enable encryption of the entire Data Catalog in your account. When you create jobs, crawlers, and development endpoints in AWS Glue, you can provide encryption settings, such as a security configuration, to configure encryption for that process.

With AWS Glue, you can encrypt data using keys that you manage with AWS Key Management Service (AWS KMS). With encryption enabled, when you add Data Catalog objects, run crawlers, run jobs, or start development endpoints, AWS KMS keys are used to write data at rest. In addition, you can configure AWS Glue to only access Java Database Connectivity (JDBC) data stores through a trusted Secure Sockets Layer (SSL) protocol.

In AWS Glue, you control encryption settings in the following places:

  • The settings of your Data Catalog.

  • The security configurations that you create.

  • The server-side encryption setting (SSE-S3 or SSE-KMS) that is passed as a parameter to your AWS Glue ETL (extract, transform, and load) job.

For more information about how to set up encryption, see Setting Up Encryption in AWS Glue.