Athena workgroups should enforce configuration to prevent client disabling encryption
Default Severity: high
Explanation
Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.
Possible Impact
Clients can ignore encryption requirements
Suggested Resolution
Enforce the configuration to prevent client overrides
Insecure Example
The following example will fail the aws-athena-no-encryption-override check.
resource "aws_athena_workgroup" "bad_example" {
name = "example"
configuration {
enforce_workgroup_configuration = false
publish_cloudwatch_metrics_enabled = true
result_configuration {
output_location = "s3://${aws_s3_bucket.example.bucket}/output/"
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = aws_kms_key.example.arn
}
}
}
}
resource "aws_athena_workgroup" "bad_example" {
name = "example"
}
Secure Example
The following example will pass the aws-athena-no-encryption-override check.
resource "aws_athena_workgroup" "good_example" {
name = "example"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
result_configuration {
output_location = "s3://${aws_s3_bucket.example.bucket}/output/"
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = aws_kms_key.example.arn
}
}
}
}