Skip to main content

Not enforcing Workgroup configuration in Athena can allow clients to disable encryption settings

  • GG_ID: GG_IAC_0032
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


Enforcing Amazon Athena Workgroup configuration allows to make sure clients don't bypass the workgroup encryption settings. This way, data encryption at rest is always ensured.

Note that workgroup configuration should have encryption enabled.


Misconfigured bucket permissions or direct access to storage drives can lead to data leak.

Remediation guidelines#

  • Enforce workgroup configuration.
  • Make sure workgroup configuration has encryption enabled.

External documentation#