- CNS Policies
- AWS Knowledge Base
- Amazon Athena
-
AWS Knowledge Base
- Amazon EKS
- Amazon RDS
- Amazon Kinesis
- AWS Organizations
- Amazon SQS (Simple Queue Service)
- AWS Cloudtrail
- AWS Certificate Manager
- AWS IAM
- AWS Workspaces
- Amazon S3
- AWS Systems Manager (AWS SSM)
- Amazon EC2
- Amazon Redshift
- Amazon EMR
- Amazon CloudFront
- Amazon DynamoDB
- Amazon Managed Workflows for Apache Airflow (MWAA)
- Amazon Route 53
- AWS Key Management Service (KMS)
- Amazon CloudWatch
- Amazon ElasticSearch
- AWS Database Migration Service
- AWS Config
- AWS X-Ray
- Amazon API Gateway
- Amazon Athena
- Amazon SageMaker
- AWS Elastic Load Balancing (ELB)
- AWS Lambda
- AWS Auto Scaling
- Amazon GuardDuty
- Amazon Elastic File System (Amazon EFS)
- Amazon Elastic Container Registry (Amazon ECR)
- AWS Glue
- Amazon Simple Notification Service (SNS)
- AWS Elastic Beanstalk
- AWS CodeBuild
- AWS Secrets Manager
- AWS Transfer Family
- Amazon Access Analyzer
-
Azure Knowledge Base
- Container Registries
- Azure Virtual Machines
- Network Security Group
- PostgreSQL
- Azure Monitor
- Azure Security Center
- SQL Databases
- SQL Servers
- Storage Accounts
- Azure Key Vaults
- Load Balancers
- App Services
- Azure Active Directory
- Activity Log
- Azure Policy
- Kubernetes Services
- Azure Resources
- Azure Cosmos DB
- CDN Profiles
- MySQL Servers
- Azure Virtual Network
- Azure Network Watcher
- Azure Cache for Redis
-
GCP Knowledge Base
- Google Cloud VPC
- Google Cloud IAM
- Google Cloud Load Balancing
- Google Cloud Logging
- Google Cloud Kubernetes Engine
- Google Cloud Pub/Sub
- Google Compute Engine
- Google Cloud Key Management Service (KMS)
- Google Cloud DNS
- Google Cloud Storage
- Google Cloud Dataproc
- Google Cloud SQL
- Google Cloud Spanner
- Google Cloud Deployment Manager
- Google Cloud BigQuery
- Google Cloud Dataflow
-
DigitalOcean Knowledge Base
Workgroup Configuration Not Enforced
This plugin makes sure that clients will not be able to override configuration options.
Risk Level: Low
Description:
This plugin makes sure that clients will not be able to override configuration options. It is crucial to disable this setting to enforce the encryption mandate. Although clients can alter configuration parameters and encryption requirements by workgroup Athena, SentinelOne CNS strongly recommends disabling the ability of clients to alter the configuration parameters of the Athena workgroup.
About the Service :
Athena is an interactive AWS-managed query solution for analyzing data directly with standard SQL in Amazon S3. Default data encryption between Amazon Athena and S3 by utilizing SSL/TLS is offered, however, encryption of rest query results by default is not enabled.
Impact :
In the absence of this, the clients will be able to override configuration options and the encryption mandate will not be enforced.
Steps to reproduce :
- Log In to AWS Console.
- Navigate to the AWS Athena dashboard.
- In the Create Workbook and Edit Workbook, look for the field Override Client-Side Setting.
- Check if the field Override Client-Side Setting is selected or not.
- If it is not checked then that means Athena utilizes client-side settings for location and encryption of query results for all the queries running in this workgroup.
Steps for remediation :
- Log In to AWS Console.
- Navigate to the AWS Athena dashboard.
- In the Create Workbook and Edit Workbook, look for the field Override Client-Side Setting.
- Check if the field Override Client-Side Setting is selected or not.
- If it is not checked then check the box.