Best practices

Glue Data Catalog data-at-rest encryption without KMS CMKs

Risk Level

Informational (4)



Glue Data Catalog is using a default encryption key (provided and managed by AWS) instead of customer master keys (CMKs). Only CMKs give you the ability to fully manage your encryption keys, this includes policies, encryption rotation, access, tags and more.
  • Recommended Mitigation

    To maintain exclusive control over the encryption of your data catalog, define and use your own CMK.