Encrypting your Data Catalog - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Encrypting your Data Catalog

You can turn on encryption of your Amazon Glue Data Catalog objects in the Settings of the Data Catalog on the Amazon Glue console. You can turn on or turn off encryption settings for the entire Data Catalog. In the process, you specify an Amazon KMS key that is automatically used when objects, such as tables, are written to the Data Catalog. The encrypted objects include the following:

  • Databases

  • Tables

  • Partitions

  • Table versions

  • Connections

  • User-defined functions

You can set this behavior using the Amazon Web Services Management Console or Amazon Command Line Interface (Amazon CLI).

To turn on encryption using the console

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Glue console at https://console.amazonaws.cn/glue/.

  2. Choose Settings in the navigation pane.

  3. On the Data catalog settings page, select Metadata encryption, and choose an Amazon KMS key.


    Amazon Glue supports only symmetric customer master keys (CMKs). The Amazon KMS key list displays only symmetric keys. However, if you select Choose a Amazon KMS key ARN, the console lets you enter an ARN for any key type. Ensure that you enter only ARNs for symmetric keys.

When encryption is turned on, all future Data Catalog objects are encrypted. The default key is the Amazon Glue Amazon KMS key that is created for your account by Amazon. If you clear this setting, objects are no longer encrypted when they are written to the Data Catalog. Any encrypted objects in the Data Catalog can continue to be accessed with the key.

To turn on encryption using the SDK or Amazon CLI

  • Use the PutDataCatalogEncryptionSettings API operation. If no key is specified, the default Amazon Glue encryption key for the customer account is used.


The Amazon KMS key must remain available in the Amazon KMS key store for any objects that are encrypted with it in the Data Catalog. If you remove the key, the objects can no longer be decrypted. You might want this in some scenarios to prevent access to Data Catalog metadata.

When encryption is turned on, the client that is accessing the Data Catalog must have the following Amazon KMS permissions in its policy:

  • kms:Decrypt

  • kms:Encrypt

  • kms:GenerateDataKey

For example, when you define a crawler or a job, the IAM role that you provide in the definition must have these Amazon KMS permissions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Resource": "ARN-of-key-used-to-encrypt-data-catalog" } ] }