Encrypting data written by DataBrew jobs - Amazon Glue DataBrew
Setting up DataBrew to use encryptionCreating a route to Amazon KMSSetting up encryption with KMS keys
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypting data written by DataBrew jobs

DataBrew jobs can write to encrypted Amazon S3 targets and encrypted Amazon CloudWatch Logs.

Setting up DataBrew to use encryption

Follow this procedure to set up your DataBrew environment to use encryption.

To set up your DataBrew environment to use encryption

  1. Create or update your Amazon KMS keys to give Amazon KMS permissions to the Amazon Identity and Access Management (IAM) roles that are passed to DataBrew jobs. These IAM roles are used to encrypt CloudWatch Logs and Amazon S3 targets. For more information, see Encrypt Log Data in CloudWatch Logs Using Amazon KMS in the Amazon CloudWatch Logs User Guide.

    In the following example, "role1", "role2", and "role3" are IAM roles that are passed to DataBrew jobs. This policy statement describes a KMS key policy that gives permission to the listed IAM roles to encrypt and decrypt with this KMS key.

    
   {
       "Effect": "Allow",
       "Principal": {
           "Service": "logs.region.amazonaws.com",
           "AWS": [
               "role1",
               "role2",
               "role3"
           ]
       },
       "Action": [
           "kms:Encrypt*",
           "kms:Decrypt*",
           "kms:ReEncrypt*",
           "kms:GenerateDataKey*",
           "kms:Describe*"
       ],
       "Resource": "*"
   }

    The Service statement, shown as "Service": "logs.region.amazonaws.com", is required if you use the key to encrypt CloudWatch Logs.

  2. Ensure that the Amazon KMS key is set to ENABLED before it is used.

For more information about specifying permissions using Amazon KMS key policies, see Using key policies in Amazon KMS.

Creating a route to Amazon KMS for VPC jobs

You can connect directly to Amazon KMS through a private endpoint in your virtual private cloud (VPC) instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and Amazon KMS is conducted entirely within the Amazon network.

You can create an Amazon KMS VPC endpoint within a VPC. Without this step, your DataBrew jobs might fail with a kms timeout. For detailed instructions, see Connecting to Amazon KMS Through a VPC Endpoint in the Amazon Key Management Service Developer Guide.

As you follow these instructions, on the VPC console, make sure to do the following:

  • Choose Enable Private DNS name.

  • For Security group, choose the security group (including a self-referencing rule) that you use for your DataBrew job that accesses Java Database Connectivity (JDBC).

When you run a DataBrew job that accesses JDBC data stores, DataBrew must have a route to the Amazon KMS endpoint. You can provide the route with a network address translation (NAT) gateway or with an Amazon KMS VPC endpoint. To create a NAT gateway, see NAT Gateways in the Amazon VPC User Guide.

Setting up encryption with Amazon KMS keys

When you enable encryption on a job, it applies to both Amazon S3 and CloudWatch. The IAM role that is passed must have the following Amazon KMS permissions.


     {
         "Version": "2012-10-17",
         "Statement": {
             "Effect": "Allow",
             "Action": [
                 "kms:GenerateDataKey*"
             ],
             "Resource": "arn:aws:kms:region:account-id:key/key-id"
         }
     }

For more information, see the following topics in the Amazon Simple Storage Service User Guide: