AWS Glue
Developer Guide

Encryption and Secure Access for AWS Glue

You can encrypt metadata objects in your AWS Glue Data Catalog in addition to the data written to Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs by jobs, crawlers, and development endpoints. You can enable encryption of the entire Data Catalog in your account. When you create jobs, crawlers, and development endpoints in AWS Glue, you can provide encryption settings, such as a security configuration, to configure encryption for that process.

With AWS Glue, you can encrypt data using keys that you manage with AWS Key Management Service (AWS KMS). With encryption enabled, when you add Data Catalog objects, run crawlers, run jobs, or start development endpoints, AWS KMS keys are used to write data at rest. In addition, you can configure AWS Glue to only access Java Database Connectivity (JDBC) data stores through a trusted Secure Sockets Layer (SSL) protocol.

In AWS Glue, you control encryption settings in the following places:

  • The settings of your Data Catalog.

  • The security configurations that you create.

  • The server-side encryption setting (SSE-S3 or SSE-KMS) that is passed as a parameter to your AWS Glue ETL (extract, transform, and load) job.

For more information about how to set up encryption, see Setting Up Encryption in AWS Glue.