Athena workgroups should enforce configuration

When enforce_workgroup_configuration is disabled, individual users can override the workgroup's output location and encryption settings at query time. Query results can land in unintended S3 buckets without encryption, bypassing the controls you configured at the workgroup level. A single user running a query with a custom output location can exfiltrate data or create unencrypted copies of sensitive results.

Enforcing workgroup configuration closes this gap. Every query in the workgroup writes results to the designated S3 path with the specified encryption, regardless of what the client requests.

Retrofit consideration

Enabling enforcement on existing workgroups can break queries that rely on client-side output location or encryption overrides. Audit active query patterns before toggling this on.

Implementation

Choose the approach that matches how you manage Terraform.

Terraform resources

Use AWS provider resources directly. See docs for the resources involved: aws_athena_workgroup.

resource "aws_athena_workgroup" "this" {
  name = "pofix-abc123"

  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      encryption_configuration {
        encryption_option = "SSE_S3"
      }
    }
  }
}

What this control checks

This control validates every aws_athena_workgroup resource. Within the configuration block, enforce_workgroup_configuration must be true. It fails if the argument is explicitly false. It also fails if a result_configuration block defines an output location and encryption while enforcement is off, since users can simply ignore those settings. Every workgroup must explicitly set enforce_workgroup_configuration = true to pass.

Common pitfalls

Default value masks intentional disablement
Removing an explicit enforce_workgroup_configuration = false argument is not the same as setting it to true. On the next apply, Terraform falls back to the provider/API default, which may not match your intent. Teams that relied on override behavior have been surprised by this. Set the argument explicitly in every workgroup block.
Primary workgroup often overlooked
The default primary workgroup created automatically in every account is not managed by Terraform unless explicitly imported. Its EnforceWorkGroupConfiguration setting may be false. Use aws athena get-work-group --work-group primary to check, then import it with terraform import aws_athena_workgroup.primary primary to bring it under management.
Named queries and prepared statements still run in workgroups
Even with enforcement enabled, users can still execute any query they want. Enforcement controls where results land and how they are encrypted, not what data gets queried. Don't conflate this with query-level access control, which requires Lake Formation or IAM policies on the underlying data sources.

Audit evidence

Auditors expect AWS Config rule evaluation results showing all Athena workgroups as compliant, or equivalent output from a CSPM tool scanning EnforceWorkGroupConfiguration across all accounts and regions. The CLI command aws athena get-work-group --work-group <name> returns the EnforceWorkGroupConfiguration field under WorkGroup.Configuration, and it should be true for every workgroup. Screenshots from the Athena console showing the "Override client-side settings" toggle are acceptable supplementary evidence. For multi-account environments, an AWS Config aggregator dashboard or a third-party compliance report covering all member accounts is the preferred artifact.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: athena_workgroup_enforce_configuration_enabled
AWS Config Managed Rule: ATHENA_WORKGROUP_ENFORCE_WORKGROUP_CONFIGURATION
Checkov Check: CKV_AWS_82
Powerpipe Control: aws_compliance.control.athena_workgroup_enforce_configuration_enabled
Prowler Check: athena_workgroup_enforce_configuration
Trivy Check: AWS-0007

Last reviewed: 2026-03-08