Athena Workgroup Enforces Configuration

Overview

This check verifies that Amazon Athena workgroups have the "Override client-side settings" option enabled. When enabled, the workgroup's configuration settings are enforced for all queries, preventing individual users or applications from overriding critical settings like encryption and output location.

Risk

Without workgroup configuration enforcement, users and applications can:

• Disable or weaken encryption on query results
• Redirect query outputs to unauthorized or cross-account S3 buckets
• Bypass retention and access controls you have configured

This creates risks including data exposure, compliance violations, and weakened auditability that complicates incident response and forensics.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify Athena workgroups
• Know which workgroup(s) need enforcement enabled

Required IAM permissions

To enable workgroup configuration enforcement, you need these permissions:

• athena:UpdateWorkGroup
• athena:GetWorkGroup

AWS Console Method

1. Open the Amazon Athena console
2. In the left navigation, click Workgroups
3. Select the workgroup you want to update
4. Click the Edit button
5. Scroll down to Settings
6. Check the box for Override client-side settings
7. Click Save

After enabling this option, workgroup settings will be enforced for all queries, regardless of what clients specify.

AWS CLI (optional)

Enable workgroup configuration enforcement:

aws athena update-work-group \
    --work-group <your-workgroup-name> \
    --configuration-updates '{"EnforceWorkGroupConfiguration":true}' \
    --region us-east-1

Enable enforcement along with encryption settings:

aws athena update-work-group \
    --work-group <your-workgroup-name> \
    --configuration-updates '{
      "EnforceWorkGroupConfiguration": true,
      "ResultConfigurationUpdates": {
        "OutputLocation": "s3://<your-bucket>/athena-results/",
        "EncryptionConfiguration": {
          "EncryptionOption": "SSE_KMS",
          "KmsKey": "arn:aws:kms:us-east-1:<account-id>:key/<key-id>"
        }
      }
    }' \
    --region us-east-1

Replace:

• <your-workgroup-name> with your Athena workgroup name
• <your-bucket> with your S3 bucket name
• <account-id> with your 12-digit AWS account ID
• <key-id> with your KMS key ID

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: Athena Workgroup with enforced configuration

Parameters:
  WorkgroupName:
    Type: String
    Description: Name of the Athena workgroup
    Default: enforced-workgroup

  ResultsBucketName:
    Type: String
    Description: S3 bucket for query results

Resources:
  AthenaWorkgroup:
    Type: AWS::Athena::WorkGroup
    Properties:
      Name: !Ref WorkgroupName
      State: ENABLED
      WorkGroupConfiguration:
        EnforceWorkGroupConfiguration: true
        PublishCloudWatchMetricsEnabled: true
        ResultConfiguration:
          OutputLocation: !Sub 's3://${ResultsBucketName}/athena-results/'
          EncryptionConfiguration:
            EncryptionOption: SSE_S3

Outputs:
  WorkgroupName:
    Description: Name of the Athena workgroup
    Value: !Ref AthenaWorkgroup

Deploy with:

aws cloudformation deploy \
    --template-file athena-workgroup-enforced.yaml \
    --stack-name athena-enforced-workgroup \
    --parameter-overrides \
        WorkgroupName=my-enforced-workgroup \
        ResultsBucketName=my-athena-results-bucket \
    --region us-east-1

Terraform (optional)

variable "workgroup_name" {
  description = "Name of the Athena workgroup"
  type        = string
  default     = "enforced-workgroup"
}

variable "results_bucket" {
  description = "S3 bucket for Athena query results"
  type        = string
}

resource "aws_athena_workgroup" "main" {
  name = var.workgroup_name

  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      output_location = "s3://${var.results_bucket}/athena-results/"

      encryption_configuration {
        encryption_option = "SSE_S3"
      }
    }
  }

  tags = {
    Environment = "production"
  }
}

output "workgroup_name" {
  description = "Name of the Athena workgroup"
  value       = aws_athena_workgroup.main.name
}

Deploy with:

terraform init
terraform apply \
    -var="workgroup_name=my-enforced-workgroup" \
    -var="results_bucket=my-athena-results-bucket"

Verification

After enabling enforcement, verify the change:

1. Go to the Athena Workgroups console
2. Click on your workgroup name
3. Under Settings, confirm that Override client-side settings is checked

CLI verification

aws athena get-work-group \
    --work-group <your-workgroup-name> \
    --query 'WorkGroup.Configuration.EnforceWorkGroupConfiguration' \
    --region us-east-1

Expected output:

true

Re-run the Prowler check:

prowler aws --checks athena_workgroup_enforce_configuration

Additional Resources

• Override Client-Side Settings
• Workgroup Settings
• Using Workgroups for Running Queries

Notes

• Inform your users first: Enabling this option can break custom automation or scripts that rely on specifying their own output location or encryption settings. Communicate the change before enabling.
• Client-side settings are ignored: When enforcement is enabled, any settings specified via the console, CLI, API, JDBC, or ODBC drivers are overridden by the workgroup configuration.
• Combine with encryption: For best security, enable both workgroup enforcement and encryption on query results.
• Default workgroup: The "primary" workgroup is created automatically. Consider enabling enforcement on it if it is in use.
• API compatibility: Ensure automation scripts either omit client-side settings or match the workgroup settings to avoid confusion.