AWS Glue
Developer Guide

Security in AWS Glue

You can manage your AWS Glue resources and your data stores by using authentication, access control, and encryption.

Use AWS Identity and Access Management (IAM) policies to assign permissions and control access to AWS Glue resources.

AWS Glue also enables you to encrypt data, logs, and bookmarks using keys that you manage with AWS KMS. You can configure ETL jobs and development endpoints to use AWS KMS keys to write encrypted data at rest. Additionally, you can use AWS KMS keys to encrypt the logs generated by crawlers and ETL jobs, as well as, encrypt ETL job bookmarks. With AWS Glue, you can also encrypt the metadata stored in the Data Catalog with keys that you manage with AWS KMS.

The following examples describe some of the methods you can use for secure processing.


To use fine-grained access control with the Data Catalog and Athena, consider the following limitations:

  • You must upgrade from an Athena-managed Data Catalog to the AWS Glue Data Catalog.

  • Athena does not support cross-account access to an AWS Glue Data Catalog.

  • You cannot limit access to individual partitions within a table. You can only limit access to databases and entire tables.

  • When limiting access to a specific database in the AWS Glue Data Catalog, you must also specify a default database for each AWS Region. If you use Athena and the AWS Glue Data Catalog in more than one region, add a resource ARN for each default database in each region. For example, to allow GetDatabase access to example_db in the us-east-1 Region, include the default database in the policy as well:

    { "Effect": "Allow", "Action": [ "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:us-east-1:123456789012:database/default", "arn:aws:glue:us-east-1:123456789012:database/example_db", "arn:aws:glue:us-east-1:123456789012:catalog" ] }

For more information, see Fine-Grained Access to Databases and Tables in the AWS Glue Data Catalog.