Ensure Athena workgroup prevents disabling encryption

Error: Athena workgroup does not prevent disabling encryption

Bridgecrew Policy ID: BC_AWS_GENERAL_33
Checkov Check ID: CKV_AWS_82
Severity: MEDIUM

Athena workgroup does not prevent disabling encryption


You can configure settings at the workgroup level, enforce control over the workgroup. This only affects you if you run queries in the workgroup; if you do, workgroup settings are used.

If a query runs in a workgroups and the workgroup overrides client-side settings, Athena uses the workgroup's settings for encryption. It also overrides any other settings specified for the query in the console, by using API operations, or with drivers.

Fix - Runtime

CLI Command

Run the create-cluster command and use the encryption-info option to point to the file where you saved your configuration JSON.

aws kafka create-cluster
--cluster-name "ExampleClusterName"
--broker-node-group-info file://brokernodegroupinfo.json
--encryption-info file://encryptioninfo.json
--kafka-version "2.2.1"
--number-of-broker-nodes 3

Fix - Buildtime


  • Resource: aws_athena_workgroup
  • Argument: enforce_workgroup_configuration - (Optional) Boolean whether the settings for the workgroup override client-side settings. For more information, see Workgroup Settings Override Client-Side Settings. Defaults to true.
resource "aws_athena_workgroup" "example" {
  name = "example"
  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      output_location = "s3://{aws_s3_bucket.example.bucket}/output/"

      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.example.arn


  • Resource: AWS::Athena::WorkGroup
  • Argument: Properties.WorkGroupConfiguration.EnforceWorkGroupConfiguration
    Type: AWS::Athena::WorkGroup
+     WorkGroupConfiguration:
+       EnforceWorkGroupConfiguration: true