Athena Workgroup Encrypts Query Results
Overview
This check verifies that Amazon Athena workgroups are configured to encrypt query results stored in Amazon S3. When you run queries in Athena, the results are saved to an S3 location. Without encryption, these results are stored in plain text.
Risk
Unencrypted query results can expose sensitive data if:
- The S3 bucket is misconfigured and becomes publicly accessible
- An attacker gains access to your S3 bucket through compromised credentials
- Cross-account access policies inadvertently grant unintended access
This could lead to data breaches, compliance violations, and unauthorized access to business-critical information.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify Athena workgroups
- Know which workgroup(s) need encryption enabled
Required IAM permissions
To enable encryption on Athena workgroups, you need these permissions:
athena:UpdateWorkGroupathena:GetWorkGroupkms:DescribeKey(if using KMS encryption)kms:GenerateDataKey(if using KMS encryption)
AWS Console Method
- Open the Amazon Athena console
- In the left navigation, click Workgroups
- Select the workgroup you want to update
- Click the Edit button
- Scroll down to Query result configuration
- Check the box for Encrypt query results
- Choose an encryption method:
- SSE-S3 (simplest option, uses Amazon S3-managed keys)
- SSE-KMS (uses AWS KMS keys for additional control)
- If you chose SSE-KMS, select or enter a KMS key ARN
- Click Save
AWS CLI (optional)
Enable SSE-S3 encryption (simplest approach):
aws athena update-work-group \
--work-group <your-workgroup-name> \
--configuration-updates '{"ResultConfigurationUpdates":{"EncryptionConfiguration":{"EncryptionOption":"SSE_S3"}}}' \
--region us-east-1
Enable SSE-KMS encryption (recommended for sensitive data):
aws athena update-work-group \
--work-group <your-workgroup-name> \
--configuration-updates '{
"ResultConfigurationUpdates": {
"EncryptionConfiguration": {
"EncryptionOption": "SSE_KMS",
"KmsKey": "arn:aws:kms:us-east-1:<account-id>:key/<key-id>"
}
}
}' \
--region us-east-1
Enable encryption and enforce it for all users (prevents override):
aws athena update-work-group \
--work-group <your-workgroup-name> \
--configuration-updates '{
"EnforceWorkGroupConfiguration": true,
"ResultConfigurationUpdates": {
"EncryptionConfiguration": {
"EncryptionOption": "SSE_KMS",
"KmsKey": "arn:aws:kms:us-east-1:<account-id>:key/<key-id>"
}
}
}' \
--region us-east-1
Replace:
<your-workgroup-name>with your Athena workgroup name<account-id>with your 12-digit AWS account ID<key-id>with your KMS key ID
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Athena Workgroup with encrypted query results
Parameters:
WorkgroupName:
Type: String
Description: Name of the Athena workgroup
Default: secure-workgroup
ResultsBucketName:
Type: String
Description: S3 bucket for query results
EncryptionOption:
Type: String
Default: SSE_S3
AllowedValues:
- SSE_S3
- SSE_KMS
Description: Encryption method for query results
Conditions:
UseKmsEncryption: !Equals [!Ref EncryptionOption, SSE_KMS]
Resources:
AthenaKmsKey:
Type: AWS::KMS::Key
Condition: UseKmsEncryption
Properties:
Description: KMS key for Athena query result encryption
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
AthenaWorkgroup:
Type: AWS::Athena::WorkGroup
Properties:
Name: !Ref WorkgroupName
State: ENABLED
WorkGroupConfiguration:
EnforceWorkGroupConfiguration: true
PublishCloudWatchMetricsEnabled: true
ResultConfiguration:
OutputLocation: !Sub 's3://${ResultsBucketName}/athena-results/'
EncryptionConfiguration:
EncryptionOption: !Ref EncryptionOption
KmsKey: !If
- UseKmsEncryption
- !GetAtt AthenaKmsKey.Arn
- !Ref AWS::NoValue
Outputs:
WorkgroupName:
Description: Name of the Athena workgroup
Value: !Ref AthenaWorkgroup
KmsKeyArn:
Condition: UseKmsEncryption
Description: ARN of the KMS key used for encryption
Value: !GetAtt AthenaKmsKey.Arn
Deploy with:
aws cloudformation deploy \
--template-file athena-workgroup.yaml \
--stack-name athena-encrypted-workgroup \
--parameter-overrides \
WorkgroupName=my-secure-workgroup \
ResultsBucketName=my-athena-results-bucket \
EncryptionOption=SSE_KMS \
--region us-east-1
Terraform (optional)
# variables.tf
variable "workgroup_name" {
description = "Name of the Athena workgroup"
type = string
default = "secure-workgroup"
}
variable "results_bucket" {
description = "S3 bucket for Athena query results"
type = string
}
variable "use_kms_encryption" {
description = "Use KMS encryption instead of SSE-S3"
type = bool
default = true
}
# main.tf
resource "aws_kms_key" "athena" {
count = var.use_kms_encryption ? 1 : 0
description = "KMS key for Athena query result encryption"
deletion_window_in_days = 7
enable_key_rotation = true
tags = {
Purpose = "Athena query result encryption"
}
}
resource "aws_kms_alias" "athena" {
count = var.use_kms_encryption ? 1 : 0
name = "alias/athena-${var.workgroup_name}"
target_key_id = aws_kms_key.athena[0].key_id
}
resource "aws_athena_workgroup" "main" {
name = var.workgroup_name
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
result_configuration {
output_location = "s3://${var.results_bucket}/athena-results/"
encryption_configuration {
encryption_option = var.use_kms_encryption ? "SSE_KMS" : "SSE_S3"
kms_key_arn = var.use_kms_encryption ? aws_kms_key.athena[0].arn : null
}
}
}
tags = {
Environment = "production"
}
}
# outputs.tf
output "workgroup_name" {
description = "Name of the Athena workgroup"
value = aws_athena_workgroup.main.name
}
output "kms_key_arn" {
description = "ARN of the KMS key (if KMS encryption enabled)"
value = var.use_kms_encryption ? aws_kms_key.athena[0].arn : null
}
Deploy with:
terraform init
terraform apply \
-var="workgroup_name=my-secure-workgroup" \
-var="results_bucket=my-athena-results-bucket" \
-var="use_kms_encryption=true"
Verification
After enabling encryption, verify the change:
- Go to the Athena Workgroups console
- Click on your workgroup name
- Under Query result configuration, confirm that Encrypt query results shows your chosen encryption method
CLI verification
aws athena get-work-group \
--work-group <your-workgroup-name> \
--query 'WorkGroup.Configuration.ResultConfiguration.EncryptionConfiguration' \
--region us-east-1
Expected output for SSE-S3:
{
"EncryptionOption": "SSE_S3"
}
Expected output for SSE-KMS:
{
"EncryptionOption": "SSE_KMS",
"KmsKey": "arn:aws:kms:us-east-1:123456789012:key/..."
}
Re-run the Prowler check:
prowler aws --checks athena_workgroup_encryption
Additional Resources
- Encrypting Athena Query Results Stored in Amazon S3
- Workgroup Settings
- Setting Up Encryption
- AWS KMS Key Management
Notes
- Existing results are not re-encrypted: Enabling encryption only affects new query results. Previously stored unencrypted results remain unencrypted.
- Enforce workgroup configuration: Consider enabling "Enforce workgroup configuration" to prevent users from overriding encryption settings when running queries.
- KMS costs: Using SSE-KMS incurs additional KMS API charges. SSE-S3 has no additional cost.
- Cross-region considerations: If your KMS key is in a different region than your workgroup, you may encounter access issues. Keep the KMS key in the same region as the workgroup.
- Default workgroup: The "primary" workgroup is created automatically. It should also be configured with encryption if in use.