Table: aws_glue_security_configuration - Query AWS Glue Security Configurations using SQL
The AWS Glue Security Configuration is a feature within AWS Glue service that allows you to specify the security settings that are used for Glue ETL jobs. This includes settings for data encryption, Amazon CloudWatch Logs encryption, and job bookmark encryption. It helps in maintaining the security and privacy of your data during the ETL (extract, transform, and load) process.
Table Usage Guide
The aws_glue_security_configuration
table in Steampipe provides you with information about security configurations within AWS Glue. This table allows you, as a DevOps engineer, to query security configuration-specific details, including encryption settings, CloudWatch encryption settings, Job Bookmarks encryption settings, and S3 encryption settings. You can utilize this table to gather insights on security configurations, such as the status of encryption settings, the type of encryption used, and more. The schema outlines the various attributes of the Glue security configuration for you, including the name, creation time, and encryption settings.
Examples
Basic info
Explore the security configurations of your AWS Glue service to assess the encryption status of different components such as Cloud Watch, job bookmarks, and S3. This can be useful in maintaining data security and compliance by ensuring appropriate encryption is in place.
select name, created_time_stamp, cloud_watch_encryption, job_bookmarks_encryption, s3_encryptionfrom aws_glue_security_configuration;
select name, created_time_stamp, cloud_watch_encryption, job_bookmarks_encryption, s3_encryptionfrom aws_glue_security_configuration;
List cloud watch encryption details
Explore the encryption details of your CloudWatch logs to ensure data security. This is particularly useful for identifying instances where encryption has not been disabled, thereby providing an additional layer of security for your data.
select name, cloud_watch_encryption ->> 'CloudWatchEncryptionMode' as encyption_mode, cloud_watch_encryption ->> 'KmsKeyArn' as kms_key_arnfrom aws_glue_security_configurationwhere cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED';
select name, json_extract( cloud_watch_encryption, '$.CloudWatchEncryptionMode' ) as encyption_mode, json_extract(cloud_watch_encryption, '$.KmsKeyArn') as kms_key_arnfrom aws_glue_security_configurationwhere json_extract( cloud_watch_encryption, '$.CloudWatchEncryptionMode' ) != 'DISABLED';
List job bookmarks encryption details
Explore the encryption status of job bookmarks in AWS Glue Security Configurations, focusing on those with active encryption modes. This can be useful for maintaining data security and compliance by ensuring sensitive information is properly encrypted.
select name, job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' as encyption_mode, job_bookmarks_encryption ->> 'KmsKeyArn' as kms_key_arnfrom aws_glue_security_configurationwhere job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED';
select name, json_extract( job_bookmarks_encryption, '$.JobBookmarksEncryptionMode' ) as encyption_mode, json_extract(job_bookmarks_encryption, '$.KmsKeyArn') as kms_key_arnfrom aws_glue_security_configurationwhere json_extract( job_bookmarks_encryption, '$.JobBookmarksEncryptionMode' ) != 'DISABLED';
List s3 encryption details
Discover the segments that are using encryption within your AWS S3 storage. This is useful for maintaining security standards and ensuring sensitive data is properly protected.
select name, e ->> 'S3EncryptionMode' as encyption_mode, e ->> 'KmsKeyArn' as kms_key_arnfrom aws_glue_security_configuration, jsonb_array_elements(s3_encryption) ewhere e ->> 'S3EncryptionMode' != 'DISABLED';
select name, json_extract(e.value, '$.S3EncryptionMode') as encyption_mode, json_extract(e.value, '$.KmsKeyArn') as kms_key_arnfrom aws_glue_security_configuration, json_each(s3_encryption) as ewhere json_extract(e.value, '$.S3EncryptionMode') != 'DISABLED';
Schema for aws_glue_security_configuration
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_watch_encryption | jsonb | The encryption configuration for Amazon CloudWatch. | |
created_time_stamp | timestamp with time zone | The time at which this security configuration was created. | |
job_bookmarks_encryption | jsonb | The encryption configuration for job bookmarks. | |
name | text | = | The name of the security configuration. |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
s3_encryption | jsonb | The encryption configuration for Amazon Simple Storage Service (Amazon S3) data. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_glue_security_configuration