Skip to content
Ask AI about this
Help improve this page

Athena workgroups should have logging enabled

Athena workgroups without CloudWatch metrics publishing cut off operational signal. When publish_cloudwatch_metrics_enabled is false, you lose visibility into query execution counts, data scanned per query, and execution times. These metrics feed CloudWatch alarms that can catch runaway queries before they burn through your budget.

Without workgroup-level metrics, incident investigation becomes guesswork. If a compromised identity starts exfiltrating data through Athena queries, the absence of CloudWatch metrics means no automated alert fires, and CloudTrail alone won't show you the data-scanned volume that distinguishes reconnaissance from bulk extraction.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_athena_workgroup.

resource "aws_athena_workgroup" "this" {
  name = "pofix-abc123"

  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      encryption_configuration {
        encryption_option = "SSE_S3"
      }
    }
  }
}

What this control checks

The control validates aws_athena_workgroup resources. publish_cloudwatch_metrics_enabled inside the configuration block must be true to pass. It fails when the value is false. Because the Terraform provider may handle absent arguments differently across versions, declare the argument explicitly on every managed workgroup rather than relying on defaults.

Common pitfalls

  • Relying on implicit behavior instead of explicit declaration

    Omit publish_cloudwatch_metrics_enabled from your Terraform config and the provider may silently apply a default. Don't rely on that behavior: set it explicitly to true so later configuration changes can't quietly disable metrics.

  • Primary workgroup not managed in Terraform

    The default primary workgroup exists in every AWS account automatically. If it isn't imported via terraform import aws_athena_workgroup.primary primary, it stays unmanaged and may have metrics publishing disabled. This workgroup often still receives ad-hoc queries from developers using the console.

  • Confusing metrics publishing with query result logging

    Setting result_configuration.output_location to an S3 bucket stores query results, but that's not CloudWatch metrics publishing. Both matter for operational visibility; this control specifically checks publish_cloudwatch_metrics_enabled. Having one without the other still leaves a gap.

Audit evidence

An auditor expects AWS Config rule evaluation results showing each Athena workgroup as COMPLIANT, with metrics publishing active. CloudWatch metrics under the AWS/Athena namespace should show active data points for TotalExecutionTime and ProcessedBytes, grouped by workgroup name.

Supporting evidence includes the Athena workgroup settings page in the console showing 'Publish query metrics to AWS CloudWatch' as enabled, or the output of aws athena get-work-group --work-group <name> with PublishCloudWatchMetricsEnabled: true in the response. CloudTrail events for CreateWorkGroup and UpdateWorkGroup calls that include this configuration confirm the setting was intentionally applied and not later reverted.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: athena_workgroup_logging_enabled

  • AWS Config Managed Rule: ATHENA_WORKGROUP_LOGGING_ENABLED

  • Powerpipe Control: aws_compliance.control.athena_workgroup_logging_enabled

  • Prowler Check: athena_workgroup_logging_enabled

  • AWS Security Hub Control: Athena.4

Last reviewed: 2026-03-08