In our on premise environment JSON is generating for loan data and encrypted using a core crypto jar and this encrypted JSON is getting saved into mysql tables and the same core crypto jar being called from java to decrypt the same JSON value. Now we have decided to use a Glue service for ETL purpose. Can anyone help me here to call a core crypto when the the data from the encrypted JSON exists during the Glue execution.
How can we handle the above process in AWS Glue ETL Job ?
You may need to use a custom script.
https://docs.aws.amazon.com/glue/latest/dg/console-custom-created.html
You can specify the jars that your script is dependent upon:
Dependent jars path Comma-separated Amazon S3 paths to JAR files that are required by the script. Note Currently, only pure Java or Scala (2.11) libraries can be used.
The create a Glue job as described here:
Your system is no more secure if at the end of the day you will be needing to upload your secret key to AWS to decrypt this JSON. You may as well not encrypt this JSON when you save it to the database, and instead configure the database to be encrypted by a customer managed KMS key.
You'll get much more functionality from doing things this way as you can log KMS key usage as well as restricting what services have access to be able to decrypt the data. If you keep the secret in your jar file you will need to have this jar file wherever you read this data, and will end up distributing this secret in different places, without security controls KMS gives you, or the auditing.
