AWS Athena Query Results are not encrypted with the Customer Master Key (CMK)
Description:
AWS Athena allows you to run ad-hoc queries on data stored in Amazon S3. While Athena supports the default encryption method for query results stored in S3, it's crucial from a security standpoint to encrypt sensitive query results with a Customer Master Key (CMK) managed through AWS Key Management Service (KMS) for enhanced confidentiality and control over data access.
Remediation:
1. Encrypt Athena Query Results with CMK:
AWS Management Console:
- Navigate to the Athena service.
- In the Athena console, select Settings.
- Under Query result location, you will see the S3 bucket location where the results are stored.
- Navigate to the specified S3 bucket.
- Under Properties, select Default encryption.
- Choose Enable and select AWS-KMS as the encryption method. Then, select your CMK from the available options.
AWS CLI:
You can set CMK encryption for an S3 bucket using the following command:
aws s3api put-bucket-encryption \
--bucket <BUCKET-NAME> \
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "<YOUR-KMS-KEY-ID>"
}
}
]
}'
Replace <BUCKET-NAME>
with the name of your S3 bucket and <YOUR-KMS-KEY-ID>
with your CMK ID.
Terraform:
resource "aws_s3_bucket" "athena_results" {
bucket = "<BUCKET-NAME>"
acl = "private"
# ... other configurations ...
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.example.arn
}
}
}
}
resource "aws_kms_key" "example" {
description = "KMS key for Athena Query Results"
// other configurations...
}
Replace <BUCKET-NAME>
with the name of your S3 bucket.
Recommendation:
For increased security and better control over your data, always ensure that sensitive query results stored by AWS Athena in S3 are encrypted with a CMK. Using a CMK offers granular permissions, enhanced auditing, and control over the cryptographic operations on the encrypted data.
Updated about 1 year ago