Ensure encryption is enabled for AWS Athena Query



Athena Workgroups can be configured to encrypt query results based on workgroups. Workgroup settings can be set to override client-side settings so that all queries that run in the workgroup are encrypted. Encryption helps protect the integrity and confidentiality of the data. For more information, see the AWS documentation.


In AWS Console -

  1. Sign in to AWS Console and go to AWS Athena Console.
  2. For Query result location, enter a custom value or leave the default.
  3. Select Encrypt query results.
  4. You can select any of the 3 encryption options: CSE-KMS, SSE-KMS, or SSE-S3. Note: You need to select an AWS KMS key to encrypt the data if you choose CSE-KMS or SSE-KMS encryption options.
  5. Return to the Athena console to specify the key by alias or ARN.
  6. Select Save.

In Terraform -

  1. In the aws_athena_workgroup resource, configure an encryption_configuration block.
  2. Use the encryption_option field to specify the key type.
  3. If using a customer managed or KMS key, set the kms_key to the ARN of the appropriate key object.


Policy Details

Rule Reference ID: AC_AWS_0018
Remediation Available: No
Resource Category: Database
Resource Type: Athena