Not encrypting Athena query results can lead to data leak

• GG_ID: GG_IAC_0031
• Severity: HIGH
• Complexity: MEDIUM
• Categories: DATA
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

Setting up encryption on Amazon Athena Databases and Workgroups will allow Athena to encrypt the query results in the target bucket.

Impact

Misconfigured bucket permissions or direct access to storage drives can lead to data leak.

Remediation guidelines

Enable encryption in Databases and Workgroups.

External documentation

• AWS Athena encryption at rest
• AWS Athena Database encryption configuration in Terraform
• AWS Athena Workgroup encryption configuration in Terraform