Working with Data Catalog settings on the Amazon Glue console - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Working with Data Catalog settings on the Amazon Glue console

The Data Catalog settings page contains options to set properties for the Data Catalog in your account.

To change the fine-grained access control of the Data Catalog

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Glue console at

  2. Choose Settings, and then in the Permissions editor, add the policy statement to change fine-grained access control of the Data Catalog for your account. Only one policy at a time can be attached to a Data Catalog.

  3. Choose Save to update your Data Catalog with any changes you made.

You can also use Amazon Glue API operations to put, get, and delete resource policies. For more information, see Security APIs in Amazon Glue.

The Settings page displays the following options:

Metadata encryption

Select this check box to encrypt the metadata in your Data Catalog. Metadata is encrypted at rest using the Amazon Key Management Service (Amazon KMS) key that you specify.


Amazon Glue supports only symmetric customer master keys (CMKs). The Amazon KMS key list displays only symmetric keys. However, if you select Choose a Amazon KMS key ARN, the console lets you enter an ARN for any key type. Ensure that you enter only ARNs for symmetric keys.

Encrypt connection passwords

Select this check box to encrypt passwords in the Amazon Glue connection object when the connection is created or updated. Passwords are encrypted using the Amazon KMS key that you specify. When passwords are returned, they are encrypted. This option is a global setting for all Amazon Glue connections in the Data Catalog. If you clear this check box, previously encrypted passwords remain encrypted using the key that was used when they were created or updated. For more information about Amazon Glue connections, see Defining connections in the Amazon Glue Data Catalog.

When you enable this option, choose an Amazon KMS key, or choose Enter a key ARN and provide the Amazon Resource Name (ARN) for the key. Enter the ARN in the form arn:aws:kms:region:account-id:key/key-id. You can also provide the ARN as a key alias, such as arn:aws:kms:region:account-id:alias/alias-name.


If this option is selected, any user or role that creates or updates a connection must have kms:Encrypt permission on the specified KMS key.


Add a resource policy to define fine-grained access control of the Data Catalog. You can paste a JSON resource policy into this control. For more information, see Resource policies.