aws-athena-encryption-off

Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption

Examples

Insecure Example

Terraform

resource "aws_athena_workgroup" "bigcorp_setup" {
  name = "bigcorp_setup"

  configuration {
    enforce_workgroup_configuration = false

    result_configuration {
      output_location = "s3://bigcorp-bucket/output/"

      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.bigcorpkms.arn
      }
    }
  }
}

CloudFormation

Resources:
  MyTrail:
    Type: AWS::Athena::WorkGroup
    Properties:
      Name: MyCustomWorkGroup
      Description: My WorkGroup
      State: ENABLED
      Tags:
        - Key: "key1"
          Value: "value1"
        - Key: "key2"
          Value: "value2"
      WorkGroupConfiguration:
        EnforceWorkGroupConfiguration: false
        PublishCloudWatchMetricsEnabled: false
        ResultConfiguration:
          OutputLocation: s3://path/to/my/bucket/

Secure Example

Terraform

resource "aws_athena_workgroup" "bigcorp_setup" {
  name = "bigcorp_setup"

  configuration {
    enforce_workgroup_configuration = true

    result_configuration {
      output_location = "s3://bigcorp-bucket/output/"

      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.bigcorpkms.arn
      }
    }
  }
}

CloudFormation

Resources:
  MyTrail:
    Type: AWS::Athena::WorkGroup
    Properties:
      Name: MyCustomWorkGroup
      Description: My WorkGroup
      State: ENABLED
      Tags:
        - Key: "key1"
          Value: "value1"
        - Key: "key2"
          Value: "value2"
      WorkGroupConfiguration:
        EnforceWorkGroupConfiguration: true
        PublishCloudWatchMetricsEnabled: false
        ResultConfiguration:
          OutputLocation: s3://path/to/my/bucket/

More information

• AWS Docs
• Terraform Docs
• Cloudformation Docs