Posted On: Feb 8, 2024
AWS Glue Data Catalog now supports delegating encryption permissions to an IAM role. Customers can configure an IAM role with Glue Data Catalog to manage KMS key permissions on behalf of calling users. Delegating the configured IAM role simplifies the management of the KMS key permissions used to encrypt the Glue Data Catalog and reduces the number of grants needed to allow users to access their catalog.
Customers use Glue Data Catalog as their central repository of metadata to power engines like Amazon Athena, Amazon EMR, AWS Glue, and Amazon Redshift. To protect their metadata, customers can encrypt their catalog. When encrypted, consumers of Glue Data Catalog resources require KMS key permissions to access resources such as databases, and tables, including those shared across accounts. To help simplify the management of KMS key permissions, customers can now register an IAM role with the Glue Data Catalog that will be responsible to encrypt and decrypt catalog resources on behalf of calling users; greatly reducing the management of permissions to KMS keys from multiple IAM principals and AWS accounts to a single role.
This feature is generally available in all commercial regions where AWS Glue Data Catalog is available. For more information, refer to our public documentation.