AWS Athena Query Results are not stored encrypted
Description:
AWS Athena allows you to run ad-hoc queries on data stored in Amazon S3. The results of these queries can be stored in an S3 location specified by the user. For enhanced security, it's recommended that you encrypt these query results to ensure that sensitive data remains confidential and is protected from unauthorized access.
Remediation:
1. Encrypt Athena Query Results:
AWS Management Console:
- Navigate to the Athena service.
- In the Athena console, select Settings.
- Under Query result location, you will see the S3 bucket location where the results are stored.
- Navigate to the specified S3 bucket.
- Under Properties, select Default encryption.
- Choose Enable and select the encryption method. For more security, choose AWS-KMS and select your CMK.
AWS CLI:
You can set the default encryption for an S3 bucket using the following command:
aws s3api put-bucket-encryption \
--bucket <BUCKET-NAME> \
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "<YOUR-KMS-KEY-ID>"
}
}
]
}'
Replace <BUCKET-NAME>
with the name of your S3 bucket and <YOUR-KMS-KEY-ID>
with your CMK ID.
Terraform:
resource "aws_s3_bucket" "athena_results" {
bucket = "<BUCKET-NAME>"
acl = "private"
# ... other configurations ...
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.example.arn
}
}
}
}
resource "aws_kms_key" "example" {
description = "KMS key for Athena Query Results"
// other configurations...
}
Replace <BUCKET-NAME>
with the name of your S3 bucket.
Recommendation:
Always encrypt sensitive data at rest. When using AWS Athena, ensure that the S3 buckets storing your query results have encryption enabled using a CMK. This adds an additional layer of security and protects your data from unauthorized access.
Updated 12 months ago