Encryption at rest - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encryption at rest

Amazon Glue supports data encryption at rest for Building visual ETL jobs with Amazon Glue Studio and Developing scripts using development endpoints. You can configure extract, transform, and load (ETL) jobs and development endpoints to use Amazon Key Management Service (Amazon KMS) keys to write encrypted data at rest. You can also encrypt the metadata stored in the Amazon Glue Data Catalog using keys that you manage with Amazon KMS. Additionally, you can use Amazon KMS keys to encrypt job bookmarks and the logs generated by crawlers and ETL jobs.

You can encrypt metadata objects in your Amazon Glue Data Catalog in addition to the data written to Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs by jobs, crawlers, and development endpoints. When you create jobs, crawlers, and development endpoints in Amazon Glue, you can provide encryption settings by attaching a security configuration. Security configurations contain Amazon S3-managed server-side encryption keys (SSE-S3) or customer master keys (CMKs) stored in Amazon KMS (SSE-KMS). You can create security configurations using the Amazon Glue console.

You can also turn on encryption of the entire Data Catalog in your account. You do so by specifying CMKs stored in Amazon KMS.


Amazon Glue supports only symmetric customer managed keys. For more information, see Customer Managed Keys (CMKs) in the Amazon Key Management Service Developer Guide.

With encryption turned on, when you add Data Catalog objects, run crawlers, run jobs, or start development endpoints, SSE-S3 or SSE-KMS keys are used to write data at rest. In addition, you can configure Amazon Glue to only access Java Database Connectivity (JDBC) data stores through a trusted Transport Layer Security (TLS) protocol.

In Amazon Glue, you control encryption settings in the following places:

  • The settings of your Data Catalog.

  • The security configurations that you create.

  • The server-side encryption setting (SSE-S3 or SSE-KMS) that is passed as a parameter to your Amazon Glue ETL (extract, transform, and load) job.

For more information about how to set up encryption, see Setting up encryption in Amazon Glue.