Athena Workgroup Is Not Encrypted At Rest

Overview

UPDATE: Security Hub retired this control and removed it from all standards. Athena workgroups send logs to Amazon Simple Storage Service (Amazon S3) buckets. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets.

This check ensures that an Athena workgroup is encrypted at rest. It fails if encryption at rest is not enabled.

Athena allows you to create workgroups for query execution by different teams or applications. Each workgroup can be configured to encrypt all queries. You can choose server-side encryption with Amazon S3 managed keys, server-side encryption with AWS Key Management Service (AWS KMS) keys, or client-side encryption with customer-managed KMS keys.

Encryption at rest safeguards data stored in stable, non-volatile storage, enhancing confidentiality and preventing unauthorized access.

Vendor

AWS

Cloud Service

Athena

Severity

Item Types

AWS::Athena::WorkGroup

Overview​

Vendor​

Cloud Service​

Severity​

Item Types​

Overview

Vendor

Cloud Service

Severity

Item Types