HIGH
Source
Trivy/CSPM
CSPM ID
workgroup-encrypted
ID
AVD-AWS-0006

Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted

Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.

Impact

Data can be read if the Athena Database is compromised

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption at rest for Athena databases and workgroup configurations

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Properties:
      Name: goodExample
      WorkGroupConfiguration:
        ResultConfiguration:
          EncryptionConfiguration:
            EncryptionOption: SSE_KMS
    Type: AWS::Athena::WorkGroup

Enable encryption at rest for Athena databases and workgroup configurations

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
resource "aws_athena_database" "good_example" {
  name   = "database_name"
  bucket = aws_s3_bucket.hoge.bucket
  
  encryption_configuration {
    encryption_option = "SSE_KMS"
    kms_key_arn       = aws_kms_key.example.arn
  }
}

resource "aws_athena_workgroup" "good_example" {
  name = "example"
  
  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true
    
    result_configuration {
      output_location = "s3://${aws_s3_bucket.example.bucket}/output/"
      
      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.example.arn
      }
    }
  }
}