Avoid using multiple keys in Glue catalog encryption

0

Hi, I changed the key in the Glue catalog setting to a customer-managed key. But when I run the Athena query, in CloudTrail I can see there are some decrypt events related to the new key (customer-managed key) and some of them related to the old key (AWS-managed key). I have not changed the bucket encryption type yet (it is SSE-S3) first question :why does it happen?  second question is : Is there any way to re-encrypt the Glue catalog to avoid using multiple keys? Thank you

profile picture
gh02
asked 4 months ago237 views
2 Answers
1
Accepted Answer

Yes, that would mean that the old KMS key is used to decrypt the data related to your Glue catalog that were encrypted earlier with the old KMS key. When you switched Glue to use the new KMS key, it started to use it to encrypt all data it has been writing since the change, while all previously encrypted data remains encrypted with the old key.

EXPERT
Leo K
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • So you're saying that if the query is for data encrypted with the new key, we won't see decrypt events with the old key for glue anymore?

  • Yes, correct. As soon as you've configured Glue, S3, or another resource to use a new KMS key, only the new will be used to encrypt new or modified data.

  • you said that: while all previously encrypted data remains encrypted with the old key. so how we can access to this old data in consumer account? do we need re create the tables?

  • I had the same issue. For me updating the table description after switching the encryption to a customer managed key was sufficient to get the metadata encrypted with the new key.

0

In the CloudTrail event's requestParameters field you can see the context in which request was made. If you're using the KMS key for SSE-KMS encryption, the encryptionContext field inside requestParameters will show either the ARN of the bucket (if the KMS key is used for bucket key encryption) or the object being decrypted (if bucket keys aren't used).

EXPERT
Leo K
answered 4 months ago
  • I was confused about one thing! my understanding is that if we even use SSE-S3 in s3 and use aws-managed key in Glue, we need to pay for decrypt requests. Because if we refer to AWS kms pricing: 'While you are not charged for creation and storage of AWS-managed keys, you will be charged on any API request made to AWS-managed keys.' So, price would be the same as before. for Decryption and also Encryption requests! (the price would be different in terms of 1$ per key in a month and rotation cost). am I correct?

  • Your summary of the pricing is correct. API calls to KMS are charged either way, and the only cost difference between AWS-managed and customer-managed keys is the fixed $1/mo per key + $1/mo per time the key has ever been rotated for the first two rotations.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions