Skip to content

Athena workgroup does not prevent disabling encryption

Description

You can configure settings at the workgroup level, enforce control over the workgroup. This only affects you if you run queries in the workgroup; if you do, workgroup settings are used.

If a query runs in a workgroups and the workgroup overrides client-side settings, Athena uses the workgroup's settings for encryption. It also overrides any other settings specified for the query in the console, by using API operations, or with drivers.

Fix - Runtime

CLI Command

Run the create-cluster command and use the encryption-info option to point to the file where you saved your configuration JSON. 

aws kafka create-cluster
--cluster-name "ExampleClusterName"
--broker-node-group-info file://brokernodegroupinfo.json
--encryption-info file://encryptioninfo.json
--kafka-version "2.2.1"
--number-of-broker-nodes 3

Fix - Buildtime

Terraform

  • Resource: aws_athena_workgroup
  • Argument: enforce_workgroup_configuration - (Optional) Boolean whether the settings for the workgroup override client-side settings. For more information, see Workgroup Settings Override Client-Side Settings. Defaults to true.

```go aws_athena_workgroup.example.tf resource "aws_athena_workgroup" "example" { name = "example" ... configuration { enforce_workgroup_configuration = true publish_cloudwatch_metrics_enabled = true

result_configuration {
  output_location = "s3://{aws_s3_bucket.example.bucket}/output/"

  encryption_configuration {
    encryption_option = "SSE_KMS"
    kms_key_arn       = aws_kms_key.example.arn
  }
}

} }


## CloudFormation

- **Resource: ** AWS::Athena::WorkGroup
- **Argument:** Properties.WorkGroupConfiguration.EnforceWorkGroupConfiguration

```yaml
Resources:
  MyAthenaWorkGroup:
    Type: AWS::Athena::WorkGroup
    Properties:
      ...
+     WorkGroupConfiguration:
+       EnforceWorkGroupConfiguration: true
        ...