Not enforcing Workgroup configuration in Athena can allow clients to disable encryption settings
- GG_ID: GG_IAC_0032
- Severity: HIGH
- Complexity: LOW
- Categories: DATA
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
Enforcing Amazon Athena Workgroup configuration allows to make sure clients don't bypass the workgroup encryption settings. This way, data encryption at rest is always ensured.
Note that workgroup configuration should have encryption enabled.
Misconfigured bucket permissions or direct access to storage drives can lead to data leak.
- Enforce workgroup configuration.
- Make sure workgroup configuration has encryption enabled.