Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Glue

Glue.3: Glue ML transforms should be encrypted at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Glue.3 check?

Glue.3 inspects each AWS::Glue::MLTransform resource and fails when MlUserDataEncryption is DISABLED or absent — i.e. the transform's stored user data is in cleartext. Encryption is not on by default; you have to attach a TransformEncryption configuration pointing at a KMS key at creation.

Why does Glue.3 matter?

A Glue ML transform (most commonly FindMatches) trains on your own records, and the labelling set is literally hand-picked examples of customers, accounts, or records you want to match — names, emails, identifiers. People encrypt the S3 buckets and the Data Catalog and then forget the transform, leaving a confidential dataset unencrypted in the one place nobody thinks to look.

How do I fix Glue.3?

  1. Run get-ml-transforms across regions and record each MlUserDataEncryptionMode; anything reporting None/DISABLED or a null config fails.
  2. Recreate each failing transform with create-ml-transform and a TransformEncryption block using SSE-KMS — encryption is an immutable create-time property, so there is no in-place edit.
  3. Re-import labels with start-import-labels-task-run, retrain so match quality carries over, repoint consuming jobs at the new ARN, then delete the old transform.
  4. Grant the Glue role kms:GenerateDataKey/Decrypt/Encrypt on the key, and enable the AWS Config rule glue-ml-transform-encrypted-at-rest.

Remediation script · bash

# 1. Bulk-enable free SSE-SQS on every unencrypted queue in the region.
for q in $(aws sqs list-queues --query 'QueueUrls[]' --output text); do
  state=$(aws sqs get-queue-attributes --queue-url $q \
    --attribute-names KmsMasterKeyId SqsManagedSseEnabled --query 'Attributes' --output text)
  [ -z "$state" ] && aws sqs set-queue-attributes --queue-url $q \
    --attributes '{"SqsManagedSseEnabled":"true"}' && echo "encrypted $q"
done

# 2. High-throughput stream: SSE-KMS with a 5-minute data-key reuse window to keep KMS cost flat.
aws kinesis start-stream-encryption --stream-name payment-events \
  --encryption-type KMS \
  --key-id arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

# 3. Find unencrypted recovery points (Backup.1 reads IsEncrypted per recovery point, not per vault).
aws backup list-recovery-points-by-backup-vault --backup-vault-name prod-backups \
  --query 'RecoveryPoints[?IsEncrypted==`false`].[RecoveryPointArn,ResourceType]' --output table

# 4. Confirm an at-rest Config rule is evaluating so regressions are caught automatically.
aws configservice describe-compliance-by-config-rule --config-rule-names sqs-queue-encrypted \
  --query 'ComplianceByConfigRules[].Compliance.ComplianceType'

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt other services at rest (queues, streams, logs, ML).

Is Glue.3 a false positive?

There is no API to enable encryption on an existing transform — update-ml-transform does not accept TransformEncryption. Plan remediation as a full replace-and-migrate operation, never a config tweak, or the finding will not clear.

Full lesson Encrypt other services at rest (queues, streams, logs, ML) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Glue controls ↗ Check your own account for Glue.3 →
Part of the learning path Encrypt everything

More Glue controls

  • Glue.4 Glue Spark jobs on supported versions