Guides

AWS Athena Query Results are not encrypted with the Customer Master Key (CMK)

Description:

AWS Athena allows you to run ad-hoc queries on data stored in Amazon S3. While Athena supports the default encryption method for query results stored in S3, it's crucial from a security standpoint to encrypt sensitive query results with a Customer Master Key (CMK) managed through AWS Key Management Service (KMS) for enhanced confidentiality and control over data access.

Remediation:

1. Encrypt Athena Query Results with CMK:

AWS Management Console:
  • Navigate to the Athena service.
  • In the Athena console, select Settings.
  • Under Query result location, you will see the S3 bucket location where the results are stored.
  • Navigate to the specified S3 bucket.
  • Under Properties, select Default encryption.
  • Choose Enable and select AWS-KMS as the encryption method. Then, select your CMK from the available options.
AWS CLI:

You can set CMK encryption for an S3 bucket using the following command:

aws s3api put-bucket-encryption \
    --bucket <BUCKET-NAME> \
    --server-side-encryption-configuration '{
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "aws:kms",
                    "KMSMasterKeyID": "<YOUR-KMS-KEY-ID>"
                }
            }
        ]
    }'

Replace <BUCKET-NAME> with the name of your S3 bucket and <YOUR-KMS-KEY-ID> with your CMK ID.

Terraform:
resource "aws_s3_bucket" "athena_results" {
  bucket = "<BUCKET-NAME>"
  acl    = "private"

  # ... other configurations ...

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm     = "aws:kms"
        kms_master_key_id = aws_kms_key.example.arn
      }
    }
  }
}

resource "aws_kms_key" "example" {
  description = "KMS key for Athena Query Results"
  // other configurations...
}

Replace <BUCKET-NAME> with the name of your S3 bucket.

Recommendation:

For increased security and better control over your data, always ensure that sensitive query results stored by AWS Athena in S3 are encrypted with a CMK. Using a CMK offers granular permissions, enhanced auditing, and control over the cryptographic operations on the encrypted data.

Updated 12 months ago