Amazon Athena Workgroup Has CloudWatch Logging Enabled

Overview

This check verifies that your Amazon Athena workgroups publish query metrics to CloudWatch. When enabled, Athena automatically sends metrics about query execution (such as query count, data scanned, and execution time) to CloudWatch, allowing you to monitor query activity and detect unusual patterns.

Risk

Without CloudWatch query logging, risky or anomalous queries may go undetected. This weakens data confidentiality and integrity by allowing compromised or insider accounts to:

• Exfiltrate sensitive data without timely detection
• Modify datasets without leaving obvious traces
• Operate undetected, hampering forensic analysis and incident response

Enabling logging helps you spot unusual query patterns early and respond quickly to potential security incidents.

Remediation Steps

Prerequisites

You need access to modify Athena workgroups in your AWS account. This typically requires the athena:UpdateWorkGroup permission.

AWS Console Method

1. Open the Amazon Athena console
2. In the left navigation pane, choose Workgroups
3. Select the workgroup you want to update
4. Click Edit
5. Scroll to the Settings section
6. Check the box for Publish query metrics to AWS CloudWatch
7. Click Save

Repeat these steps for each workgroup that needs logging enabled.

AWS CLI (optional)

To enable CloudWatch metrics for an existing workgroup:

aws athena update-work-group \
  --work-group <WORKGROUP_NAME> \
  --configuration-updates '{"PublishCloudWatchMetricsEnabled": true}' \
  --region us-east-1

Replace <WORKGROUP_NAME> with your actual workgroup name.

Example:

aws athena update-work-group \
  --work-group my-analytics-workgroup \
  --configuration-updates '{"PublishCloudWatchMetricsEnabled": true}' \
  --region us-east-1

To update multiple workgroups at once, you can list them and loop:

# List all workgroups
aws athena list-work-groups --region us-east-1 --query 'WorkGroups[*].Name' --output text

# Enable metrics for each (replace workgroup names as needed)
for wg in workgroup1 workgroup2 workgroup3; do
  aws athena update-work-group \
    --work-group "$wg" \
    --configuration-updates '{"PublishCloudWatchMetricsEnabled": true}' \
    --region us-east-1
done

CloudFormation (optional)

Use this CloudFormation template to create or update an Athena workgroup with CloudWatch logging enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Athena Workgroup with CloudWatch logging enabled

Parameters:
  WorkgroupName:
    Type: String
    Default: example-workgroup
    Description: Name of the Athena workgroup

  ResultsBucketName:
    Type: String
    Description: S3 bucket for query results

Resources:
  AthenaWorkgroup:
    Type: AWS::Athena::WorkGroup
    Properties:
      Name: !Ref WorkgroupName
      Description: Athena workgroup with CloudWatch metrics enabled
      State: ENABLED
      WorkGroupConfiguration:
        PublishCloudWatchMetricsEnabled: true
        EnforceWorkGroupConfiguration: true
        ResultConfiguration:
          OutputLocation: !Sub 's3://${ResultsBucketName}/athena-results/'

Outputs:
  WorkgroupName:
    Description: Name of the Athena workgroup
    Value: !Ref AthenaWorkgroup

Deploy the stack:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name athena-workgroup-logging \
  --parameter-overrides \
    WorkgroupName=my-workgroup \
    ResultsBucketName=my-athena-results-bucket \
  --region us-east-1

Terraform (optional)

Use this Terraform configuration to create an Athena workgroup with CloudWatch metrics enabled:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_athena_workgroup" "example" {
  name = "example-workgroup"

  configuration {
    publish_cloudwatch_metrics_enabled = true
    enforce_workgroup_configuration    = true

    result_configuration {
      output_location = "s3://your-bucket-name/athena-results/"
    }
  }

  tags = {
    Environment = "production"
  }
}

To update an existing workgroup managed by Terraform, add or modify the publish_cloudwatch_metrics_enabled attribute and run:

terraform plan
terraform apply

Verification

After enabling CloudWatch logging, verify the setting is active:

1. In the Athena console, go to Workgroups
2. Select your workgroup and view its details
3. Confirm that Publish query metrics to AWS CloudWatch shows as enabled

Run a test query and check CloudWatch for metrics (they may take a few minutes to appear):

1. Open the CloudWatch console
2. Go to Metrics > All metrics
3. Look for the AWS/Athena namespace
4. You should see metrics like ProcessedBytes, TotalExecutionTime, and QueryQueueTime

CLI verification

Check the workgroup configuration:

aws athena get-work-group \
  --work-group <WORKGROUP_NAME> \
  --region us-east-1 \
  --query 'WorkGroup.Configuration.PublishCloudWatchMetricsEnabled'

This should return true.

List available Athena metrics in CloudWatch:

aws cloudwatch list-metrics \
  --namespace AWS/Athena \
  --region us-east-1

Additional Resources

• Amazon Athena Workgroups Documentation
• Monitoring Athena Queries with CloudWatch Metrics
• CloudWatch Metrics for Athena
• Prowler Check Documentation

Notes

• Primary workgroup: The default primary workgroup should also have logging enabled if it is in use.
• Enforcement: Consider setting EnforceWorkGroupConfiguration to true to prevent users from overriding workgroup settings at query time.
• Cost: CloudWatch metrics incur standard CloudWatch charges, but the volume from Athena query metrics is typically minimal.
• Correlation with CloudTrail: For full user attribution, correlate CloudWatch metrics with CloudTrail logs, which capture who ran each query.
• Centralized monitoring: For multi-account environments, consider centralizing Athena logs to a dedicated monitoring account using CloudWatch cross-account observability.