@@ -187,6 +187,69 @@ RawStageTransformProcessPythonGlueJob:
187187 ExecutionProperty :
188188 MaxConcurrentRuns : 1
189189 MaxRetries : 0
190+ SecurityConfiguration : !Ref GlueSecurityConfig
190191 MaxCapacity : 1
191192 Name : !Sub ${Environment}-dap-raw-stage-transform-process
192193 Role : !Ref GlueScriptsExecutionRole
194+
195+ GlueSecurityConfig :
196+ Type : AWS::Glue::SecurityConfiguration
197+ Properties :
198+ Name : !Sub ${Environment}-dap-glue-security-configuration
199+ EncryptionConfiguration :
200+ CloudWatchEncryption :
201+ CloudWatchEncryptionMode : SSE-KMS
202+ KmsKeyArn : !GetAtt KmsKey.Arn
203+ JobBookmarksEncryption :
204+ JobBookmarksEncryptionMode : CSE-KMS
205+ KmsKeyArn : !GetAtt KmsKey.Arn
206+ S3Encryptions :
207+ - S3EncryptionMode : SSE-KMS
208+ KmsKeyArn : !GetAtt KmsKey.Arn
209+
210+ KmsKey :
211+ Type : AWS::KMS::Key
212+ Properties :
213+ EnableKeyRotation : true
214+ KeyPolicy :
215+ Version : ' 2012-10-17'
216+ Statement :
217+ - Effect : Allow
218+ Principal :
219+ AWS : !Sub arn:aws:iam::${AWS::AccountId}:root
220+ Action : kms:*
221+ Resource : ' *'
222+ - Effect : Allow
223+ Principal :
224+ Service :
225+ - cloudwatch.amazonaws.com
226+ - cloudtrail.amazonaws.com
227+ - lambda.amazonaws.com
228+ - s3.amazonaws.com
229+ - sns.amazonaws.com
230+ - sqs.amazonaws.com
231+ - logs.amazonaws.com
232+ - logs.eu-west-2.amazonaws.com
233+ - glue.amazonaws.com
234+ - redshift.amazonaws.com
235+ - redshift-serverless.amazonaws.com
236+ - chatbot.amazonaws.com
237+ - events.amazonaws.com
238+ AWS :
239+ - !GetAtt RawGlueCrawlerRole.Arn
240+ - !GetAtt StepFunctionRole.Arn
241+ - !GetAtt GlueScriptsExecutionRole.Arn
242+ - !GetAtt StepFunctionRedshiftProcessRole.Arn
243+ Action :
244+ - kms:Encrypt*
245+ - kms:Decrypt*
246+ - kms:ReEncrypt*
247+ - kms:GenerateDataKey*
248+ - kms:Describe*
249+ Resource : ' *'
250+
251+ KmsKeyAlias :
252+ Type : AWS::KMS::Alias
253+ Properties :
254+ AliasName : !Sub alias/${Environment}-dap-key
255+ TargetKeyId : !Ref KmsKey
0 commit comments