aws-athena-encryption-off¶
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption
Examples¶
Insecure Example
resource "aws_athena_workgroup" "bigcorp_setup" {
name = "bigcorp_setup"
configuration {
enforce_workgroup_configuration = false
result_configuration {
output_location = "s3://bigcorp-bucket/output/"
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = aws_kms_key.bigcorpkms.arn
}
}
}
}
Resources:
MyTrail:
Type: AWS::Athena::WorkGroup
Properties:
Name: MyCustomWorkGroup
Description: My WorkGroup
State: ENABLED
Tags:
- Key: "key1"
Value: "value1"
- Key: "key2"
Value: "value2"
WorkGroupConfiguration:
EnforceWorkGroupConfiguration: false
PublishCloudWatchMetricsEnabled: false
ResultConfiguration:
OutputLocation: s3://path/to/my/bucket/
Secure Example
resource "aws_athena_workgroup" "bigcorp_setup" {
name = "bigcorp_setup"
configuration {
enforce_workgroup_configuration = true
result_configuration {
output_location = "s3://bigcorp-bucket/output/"
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = aws_kms_key.bigcorpkms.arn
}
}
}
}
Resources:
MyTrail:
Type: AWS::Athena::WorkGroup
Properties:
Name: MyCustomWorkGroup
Description: My WorkGroup
State: ENABLED
Tags:
- Key: "key1"
Value: "value1"
- Key: "key2"
Value: "value2"
WorkGroupConfiguration:
EnforceWorkGroupConfiguration: true
PublishCloudWatchMetricsEnabled: false
ResultConfiguration:
OutputLocation: s3://path/to/my/bucket/