Skip to main content
MEDIUMGlueSecurity

Glue Job Encryption Missing

glue-job-encryption-missing

What this rule checks

Detects Glue jobs without an attached SecurityConfiguration for encrypting bookmarks, S3 data, and CloudWatch logs.

How to fix it

  1. 1Create a SecurityConfiguration enabling KMS encryption for all targets
  2. 2Reference it via the job's SecurityConfiguration property
FlaggedThe Glue job has no SecurityConfiguration attached, so job bookmarks, S3 targets and CloudWatch logs are not encrypted with KMS. CDK Insights flags AWS::Glue::Job resources without a SecurityConfiguration.
import { CfnJob } from 'aws-cdk-lib/aws-glue';

new CfnJob(this, 'EtlJob', {
  name: 'nightly-etl',
  role: 'arn:aws:iam::111122223333:role/GlueEtlRole',
  command: {
    name: 'glueetl',
    scriptLocation: 's3://my-glue-scripts/nightly-etl.py',
    pythonVersion: '3',
  },
  glueVersion: '4.0',
});
FixedA CfnSecurityConfiguration enabling SSE-KMS / CSE-KMS across S3, CloudWatch and job bookmarks is created and referenced via the job's securityConfiguration property. The finding clears once a SecurityConfiguration is attached.
import { CfnJob, CfnSecurityConfiguration } from 'aws-cdk-lib/aws-glue';

const secConfig = new CfnSecurityConfiguration(this, 'GlueSecurityConfig', {
  name: 'etl-encryption',
  encryptionConfiguration: {
    s3Encryptions: [{ s3EncryptionMode: 'SSE-KMS' }],
    cloudWatchEncryption: {
      cloudWatchEncryptionMode: 'SSE-KMS',
      kmsKeyArn: 'arn:aws:kms:us-east-1:111122223333:key/abcd-1234',
    },
    jobBookmarksEncryption: {
      jobBookmarksEncryptionMode: 'CSE-KMS',
      kmsKeyArn: 'arn:aws:kms:us-east-1:111122223333:key/abcd-1234',
    },
  },
});
new CfnJob(this, 'EtlJob', {
  name: 'nightly-etl',
  role: 'arn:aws:iam::111122223333:role/GlueEtlRole',
  command: {
    name: 'glueetl',
    scriptLocation: 's3://my-glue-scripts/nightly-etl.py',
    pythonVersion: '3',
  },
  glueVersion: '4.0',
  securityConfiguration: secConfig.name,
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::Glue::Job

Compliance frameworks

SOC2HIPAAPCI-DSSNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate โ€” a genuinely public endpoint, say. You can dismiss glue-job-encryption-missing and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "glue-job-encryption-missing", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::glue-job-encryption-missing',
  reason: 'Why this is intentional',
});

Use the rule ID glue-job-encryption-missing shown above โ€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ€” free, no account, your code never leaves your machine.

More Glue rules