Ensure Athena Database is encrypted at rest

Error: Athena Database is not encrypted at rest

Bridgecrew Policy ID: BC_AWS_GENERAL_29
Checkov Check ID: CKV_AWS_77
Severity: MEDIUM

Athena Database is not encrypted at rest


Athena is a query service managed by AWS that uses standard SQL to analyze data directly in Amazon S3. Encryption of data while in transit between Amazon Athena and S3 is provided by default using SSL/TLS, but encryption of query results at rest is not enabled by default.

The encryption at rest feature available for AWS Athena query results provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying Amazon S3 storage.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon Athena console.
  3. In the Athena console, choose Settings.
  4. Choose Encrypt query results.
  5. For Encryption select either CSE-KMS, SSE-KMS, or SSE-S3.
  6. If your account has access to an existing AWS KMS customer managed key (CMK), choose its alias or choose Enter a KMS key ARN, then enter an ARN.
  7. Click Save.

Fix - Buildtime


  • Resource: aws_athena_database
  • Arguments:encryption_configuration - (Optional) The encryption key block AWS Athena uses to decrypt the data in S3, such as an AWS Key Management Service (AWS KMS) key. An encryption_configuration block is documented below.
resource "aws_athena_database" "examplea" {
  name   = "database_name"
+ encryption_configuration {
+   encryption_option = var.encryption_option
+   kms_key           = var.kms_key_arn
+ }