Skip to content

Files

Latest commit

 

History

History
60 lines (43 loc) · 1.32 KB

aws-athena-no-encryption-override.md

File metadata and controls

60 lines (43 loc) · 1.32 KB

Pattern: Possible encryption override for AWS Athena

Issue: -

Description

Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.

Resolution: Enforce the configuration to prevent client overrides.

Examples

Example of incorrect code:

resource "aws_athena_workgroup" "bad_example" {
  name = "example"

  configuration {
    enforce_workgroup_configuration    = false
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      output_location = "s3://${aws_s3_bucket.example.bucket}/output/"

      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.example.arn
      }
    }
  }
}

resource "aws_athena_workgroup" "bad_example" {
  name = "example"

}

Example of correct code:

resource "aws_athena_workgroup" "good_example" {
  name = "example"

  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      output_location = "s3://${aws_s3_bucket.example.bucket}/output/"

      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.example.arn
      }
    }
  }
}