Athena workgroups should enforce configuration to prevent client disabling encryption
Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.
Impact
Clients can ignore encryption requirements
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enforce the configuration to prevent client overrides
1
2
3
4
5
6
7
8
9
10
11
|
Resources:
GoodExample:
Properties:
Name: goodExample
WorkGroupConfiguration:
EnforceWorkGroupConfiguration: true
ResultConfiguration:
EncryptionConfiguration:
EncryptionOption: SSE_KMS
Type: AWS::Athena::WorkGroup
|
Enforce the configuration to prevent client overrides
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
resource "aws_athena_workgroup" "good_example" {
name = "example"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
result_configuration {
output_location = "s3://${aws_s3_bucket.example.bucket}/output/"
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = aws_kms_key.example.arn
}
}
}
}
|
Links