Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption
ID |
athena_workgroup_enforces_configuration |
Severity |
low |
Vendor |
AWS |
Resource |
Athena |
Tags |
reachable |
Description
Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL.
Athena workgroups are used to separate users, teams, applications, or workloads, to set limits on amount of data each query or the entire workgroup can process, and to track costs. Because workgroups act as resources, you can use resource-level identity-based policies to control access to a specific workgroup. You can also view query-related metrics in Amazon CloudWatch, control costs by configuring limits on the amount of data scanned, create thresholds, and trigger actions, such as Amazon SNS, when these thresholds are breached.
You can configure settings at the workgroup level, but you can enforce specific configurations from Athena for all workgroups.
If EnforceWorkGroupConfiguration is set to "true", the settings for the workgroup override client-side settings. If set to "false", client-side settings are used.
Examples
CloudFormation
{
"Resources": {
"AthenaWorkGroup": {
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Name": "MyWorkGroup",
"Description": "My WorkGroup",
"State": "ENABLED",
"Tags": [
{
"Key": "key1",
"Value": "value1"
},
{
"Key": "key2",
"Value": "value2"
}
],
"WorkGroupConfiguration": {
"BytesScannedCutoffPerQuery": 200000000,
"EnforceWorkGroupConfiguration": false, (1)
"PublishCloudWatchMetricsEnabled": false,
"RequesterPaysEnabled": true,
"ResultConfiguration": {
"OutputLocation": "s3://path/to/my/bucket/"
}
}
}
}
}
}| 1 | EnforceWorkGroupConfiguration set to false means workgroup configuration is not being enforced, allowing client to disable encryption. |
Resources:
AthenaWorkGroup:
Type: AWS::Athena::WorkGroup
Properties:
Name: MyWorkGroup
Description: My WorkGroup
State: ENABLED
Tags:
- Key: "key1"
Value: "value1"
- Key: "key2"
Value: "value2"
WorkGroupConfiguration:
BytesScannedCutoffPerQuery: 200000000
EnforceWorkGroupConfiguration: false (1)
PublishCloudWatchMetricsEnabled: false
RequesterPaysEnabled: true
ResultConfiguration:
OutputLocation: s3://path/to/my/bucket/| 1 | EnforceWorkGroupConfiguration set to false means workgroup configuration is not being enforced, allowing client to disable encryption. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"AthenaWorkGroup": {
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Name": "MyWorkGroup",
"Description": "My WorkGroup",
"State": "ENABLED",
"Tags": [
{
"Key": "key1",
"Value": "value1"
},
{
"Key": "key2",
"Value": "value2"
}
],
"WorkGroupConfiguration": {
"BytesScannedCutoffPerQuery": 200000000,
"EnforceWorkGroupConfiguration": true, (1)
"PublishCloudWatchMetricsEnabled": false,
"RequesterPaysEnabled": true,
"ResultConfiguration": {
"OutputLocation": "s3://path/to/my/bucket/"
}
}
}
}
}
}| 1 | EnforceWorkGroupConfiguration set to true means workgroup configuration is enforced, ensuring client encryption. |
Resources:
AthenaWorkGroup:
Type: AWS::Athena::WorkGroup
Properties:
Name: MyWorkGroup
Description: My WorkGroup
State: ENABLED
Tags:
- Key: "key1"
Value: "value1"
- Key: "key2"
Value: "value2"
WorkGroupConfiguration:
BytesScannedCutoffPerQuery: 200000000
EnforceWorkGroupConfiguration: true (1)
PublishCloudWatchMetricsEnabled: false
RequesterPaysEnabled: true
ResultConfiguration:
OutputLocation: s3://path/to/my/bucket/| 1 | EnforceWorkGroupConfiguration set to true means workgroup configuration is enforced, ensuring client encryption. |