Glue.4: Glue Spark jobs on supported versions

What does AWS Security Hub Glue.4 check?

Glue.4 flags any Glue for Spark job whose GlueVersion is earlier than 3.0, the documented minimum supported version. It also fails a job where GlueVersion is null or missing, annotating the finding accordingly. The backing rule glue-spark-job-supported-version has a non-customisable minimum of 3.0.

Why does Glue.4 matter?

An old engine version is a triple liability: it misses security patches in Spark, the JVM, and bundled libraries (mapping to NIST patch-management controls); it runs on a slower runtime that burns more DPU-hours for the same work; and it accumulates migration risk, since the longer a job sits on Glue 0.9 or 2.0 the more painful the eventual forced upgrade when AWS retires that runtime.

How do I fix Glue.4?

1. Pull every Glue job with its GlueVersion across all regions and accounts; flag anything below 3.0 and any null/missing value.
2. Clone the job, set GlueVersion to a supported target (4.0 is current), and run it against representative data to diff output before touching production.
3. Update the live job with update-job — note it replaces the entire definition, so include all existing properties — and confirm the finding clears.
4. Add an SCP or AWS Config rule to flag or block creation of jobs below your minimum version.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29