Best practices

Glue Data Catalogs data-at-rest encryption without KMS CMKs

Risk Level

Informational (4)

Compliance Frameworks


Glue Data Catalogs are using a default encryption key (provided and managed by AWS) instead of customer master keys (CMKs). Only CMKs give you the ability to fully manage your encryption keys, this includes policies, encryption rotation, access, tags and more.
  • Recommended Mitigation

    To maintain exclusive control over the encryption of your data catalogs, define and use your own CMK.