AWS Glue Catalog configured with public access
Description
AlphaSOC detected that an AWS Glue Data Catalog was configured with public access. This configuration allows unrestricted access to metadata about databases, tables, schemas, and other data assets stored in the catalog. This can indicate potential misconfigurations or threat actors attempting to prepare for subsequent data exfiltration attacks.
Impact
Public access to AWS Glue Catalog exposes metadata about your data infrastructure to unauthorized parties. This enables adversaries to map out your data landscape, identify high-value targets, and plan attacks against your data assets. The exposed metadata can reveal sensitive information about data structures, volumes, and relationships that should remain confidential.
Severity
| Severity | Condition |
|---|---|
Low | AWS Glue Catalog configured with public access |
Investigation and Remediation
Review the AWS Glue Data Catalog resource policy to identify the public access permissions. Verify whether this configuration was intended and authorized. Examine AWS CloudTrail logs for any unauthorized access attempts or suspicious queries against the catalog. If unauthorized, immediately remove public access permissions from the Glue Catalog resource policy, review and rotate any potentially compromised credentials, and perform a security audit of your AWS environment.