Pattern: Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted
Issue: -
Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.
Resolution: Enable encryption at rest for Athena databases and workgroup configurations.
Example of incorrect code:
resource "aws_athena_database" "bad_example" {
name = "database_name"
bucket = aws_s3_bucket.hoge.bucket
}
resource "aws_athena_workgroup" "bad_example" {
name = "example"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
result_configuration {
output_location = "s3://${aws_s3_bucket.example.bucket}/output/"
}
}
}Example of correct code:
resource "aws_athena_database" "good_example" {
name = "database_name"
bucket = aws_s3_bucket.hoge.bucket
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = aws_kms_key.example.arn
}
}
resource "aws_athena_workgroup" "good_example" {
name = "example"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
result_configuration {
output_location = "s3://${aws_s3_bucket.example.bucket}/output/"
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = aws_kms_key.example.arn
}
}
}
}