Not enforcing Workgroup configuration in Athena can allow clients to disable encryption settings
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | HIGH | AWS | DATA |
Description
Enforcing Amazon Athena Workgroup configuration allows to make sure clients don't bypass the workgroup encryption settings. This way, data encryption at rest is always ensured.
Note that workgroup configuration should have encryption enabled.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | True |
Misconfigured bucket permissions or direct access to storage drives can lead to data leak.
Remediation guidelines
- Enforce workgroup configuration.
- Make sure workgroup configuration has encryption enabled.
References
Was this page helpful?
