Ensure encryption is enabled for AWS Athena Database

HIGH

Description

AWS Athena Database does not have encryption enabled which may lead to sensitive data exposure.

Remediation

In AWS Console -

Sign in to AWS Console and go to AWS Athena Console.
For Query result location, enter a custom value or leave the default.
Select Encrypt query results.
You can select any of the 3 encryption options: CSE-KMS, SSE-KMS, or SSE-S3. Note: You need to select an AWS KMS key to encrypt the data if you choose CSE-KMS or SSE-KMS encryption options.
Return to the Athena console to specify the key by alias or ARN.
Select Save.

In Terraform -

In the aws_athena_database resource, configure an encryption_configuration block.
Use the encryption_option field to specify the key type.
If using a customer managed or KMS key, set the kms_key to the ARN of the appropriate key object.

References:
https://docs.aws.amazon.com/athena/latest/ug/encrypting-query-results-stored-in-s3.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database

Policy Details

Rule Reference ID: AC_AWS_0468

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_athena_database

Resource Category: Database

Resource Type: Athena

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0