Skip to content
Ask AI about this
Help improve this page

Athena workgroups should be encrypted at rest

Athena query results land in S3 and can contain sensitive data extracted from your data lake. Without encryption at rest on the workgroup, every query result object is written in plaintext, readable by anyone with bucket access. A misconfigured bucket policy or leaked credentials becomes a data breach rather than an access event against ciphertext.

Encrypting at the workgroup level sets a default for all users of that workgroup, preventing individual analysts from accidentally producing unencrypted output.

Retrofit consideration

Enabling encryption on an existing workgroup does not retroactively encrypt previously stored query results. You must re-encrypt or delete old result objects separately.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_athena_workgroup.

resource "aws_athena_workgroup" "this" {
  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      encryption_configuration {
        encryption_option = "SSE_S3"
      }
    }
  }
  name = "pofix-abc123"
}

What this control checks

In the aws_athena_workgroup resource, the configuration block must contain a result_configuration block with an encryption_configuration sub-block. The encryption_option argument inside encryption_configuration must be set to SSE_S3, SSE_KMS, or CSE_KMS. When SSE_KMS or CSE_KMS is chosen, kms_key_arn must also be provided, pointing to a valid KMS key. Omitting the encryption_configuration block entirely, or leaving encryption_option unset, fails this control. To prevent users from overriding the workgroup default, set enforce_workgroup_configuration to true (the Terraform default) inside the configuration block.

Common pitfalls

  • enforce_workgroup_configuration left as false

    Set enforce_workgroup_configuration to false and individual users can override the workgroup encryption setting at query time, writing unencrypted results to S3. The default is true for a reason: leave it alone unless you have an explicit need and compensating controls.

  • Missing kms_key_arn for KMS-based encryption

    Choosing SSE_KMS or CSE_KMS without a kms_key_arn causes Terraform apply to fail immediately. Make sure the KMS key exists before referencing it, and confirm the Athena service role (or calling principal) holds kms:GenerateDataKey and kms:Decrypt on that key.

  • Old query results remain unencrypted after retrofit

    Re-encrypting historical results is not automatic. Enabling encryption on an existing workgroup only applies to queries run after the change; objects already in the results bucket are unchanged. Use aws s3 cp --sse or set a bucket-level default encryption policy to cover historical data.

  • Incorrect result_configuration nesting in older examples

    Older blog posts and community examples sometimes place encryption arguments directly under configuration, skipping the required nesting. The correct structure is configuration -> result_configuration -> encryption_configuration. Check the provider schema for your version before copy-pasting.

Audit evidence

AWS Config rule evaluation results showing each Athena workgroup as COMPLIANT are the primary evidence, or equivalent output from a CSPM tool scanning the athena:GetWorkGroup API response. The WorkGroup.Configuration.ResultConfiguration.EncryptionConfiguration.EncryptionOption field should show SSE_S3, SSE_KMS, or CSE_KMS. For KMS-backed encryption, auditors will typically also ask for confirmation that the referenced key is active and has an appropriate key policy.

Console screenshots of the workgroup settings page are acceptable supplementary evidence. CloudTrail GetWorkGroup or UpdateWorkGroup events establish when encryption was enabled and by whom.

Framework-specific interpretation

PCI DSS v4.0: If Athena queries touch cardholder data, unencrypted results in S3 directly violate Requirement 3's mandate to render stored PAN unreadable. Workgroup encryption with KMS meets Requirement 3.5.1 for that data.

NIST Cybersecurity Framework v2.0: PR.DS under the Protect function calls for safeguards on managed data throughout its lifecycle. Workgroup-level encryption at rest satisfies that requirement for the S3 objects Athena writes as query results.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: athena_workgroup_encryption_at_rest_enabled

  • AWS Config Managed Rule: ATHENA_WORKGROUP_ENCRYPTED_AT_REST

  • Checkov Check: CKV_AWS_159

  • Powerpipe Control: aws_compliance.control.athena_workgroup_encryption_at_rest_enabled

  • Prowler Check: athena_workgroup_encryption

  • KICS Query: d364984a-a222-4b5f-a8b0-e23ab19ebff3

  • Trivy Check: AWS-0006

Last reviewed: 2026-03-08