Amazon Athena

Workgroup Configuration Not Enforced

This plugin makes sure that clients will not be able to override configuration options.

Risk Level: Low

Description: 

This plugin makes sure that clients will not be able to override configuration options. It is crucial to disable this setting to enforce the encryption mandate. Although clients can alter configuration parameters and encryption requirements by workgroup Athena, SentinelOne CNS strongly recommends disabling the ability of clients to alter the configuration parameters of the Athena workgroup.

About the Service :

Athena is an interactive AWS-managed query solution for analyzing data directly with standard SQL in Amazon S3. Default data encryption between Amazon Athena and S3 by utilizing SSL/TLS is offered, however, encryption of rest query results by default is not enabled.

Impact : 

In the absence of this, the clients will be able to override configuration options and the encryption mandate will not be enforced.

Steps to reproduce :

  1. Log In to AWS Console.
  2. Navigate to the AWS Athena dashboard.
  3. In the Create Workbook and Edit Workbook, look for the field Override Client-Side Setting.
  4. Check if the field Override Client-Side Setting is selected or not.
  5. If it is not checked then that means Athena utilizes client-side settings for location and encryption of query results for all the queries running in this workgroup.

Steps for remediation :

  1. Log In to AWS Console.
  2. Navigate to the AWS Athena dashboard.
  3. In the Create Workbook and Edit Workbook, look for the field Override Client-Side Setting.
  4. Check if the field Override Client-Side Setting is selected or not.
  5. If it is not checked then check the box.