Not enforcing Workgroup configuration in Athena can allow clients to disable encryption settings

• GG_ID: GG_IAC_0032
• Severity: HIGH
• Complexity: LOW
• Categories: DATA
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

Enforcing Amazon Athena Workgroup configuration allows to make sure clients don't bypass the workgroup encryption settings. This way, data encryption at rest is always ensured.

Note that workgroup configuration should have encryption enabled.

Impact

Misconfigured bucket permissions or direct access to storage drives can lead to data leak.

Remediation guidelines

• Enforce workgroup configuration.
• Make sure workgroup configuration has encryption enabled.

External documentation

• Using workgroups to control query access and costs
• Workgroup settings override client-side settings
• AWS Athena Workgroup enforce conguration