Profile Applicability:
- Level 1
Description:
In Amazon Athena, workgroups are used to organize users and their query resources. Workgroup configuration defines settings such as query result output location, encryption settings, query timeout limits, and other execution parameters.
To ensure that workgroup configuration cannot be overridden by client-side settings (e.g., a user running Athena queries with their own configuration), it is important to enforce that all queries adhere to the workgroup's defined settings. This SOP ensures that client-side overrides are prevented and that workgroup configuration is consistently applied to all queries.
Rationale:
Enforcing workgroup configuration prevents individual users from overriding settings, which ensures:
Consistency: Ensures that all queries are executed with the same configuration, preventing variations in settings that could lead to security risks or operational inefficiencies.
Security: Prevents users from bypassing security controls such as encryption settings or output location, which could lead to data exposure.
Compliance: Helps meet regulatory requirements for data security by ensuring that settings such as encryption and data access control are consistently applied.
Impact:
Pros:
Improved Security: Prevents users from changing sensitive settings like encryption or output location, maintaining the integrity of security controls.
Consistency: Ensures that all queries are executed within the boundaries of the approved workgroup settings.
Compliance: Enforces compliance with internal and external security standards and policies.
Cons:
Less Flexibility for Users: Some users might want the ability to override settings, but enforcing workgroup configuration will prevent this flexibility.
Management Overhead: This requires careful planning of workgroup configurations and monitoring to ensure that the enforced settings are always correct and up-to-date.
Default Value:
By default, Athena workgroups allow client-side settings (such as output location, query timeout, etc.) to override workgroup configurations. This behavior must be explicitly disabled to enforce the workgroup settings.
Pre-requisite:
AWS IAM Permissions:
athena:UpdateWorkgroup
athena:GetWorkgroup
AWS CLI installed and configured.
Basic knowledge of Amazon Athena workgroups, Athena query settings, and client-side query configurations.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Athena under Services.
Go to Workgroups and select the workgroup you want to inspect.
In the Workgroup Details, ensure that the workgroup configuration is enforced and cannot be overridden:
Verify that workgroup settings such as output location, encryption settings, and query timeouts cannot be changed by users running queries.
Ensure that the Workgroup Configuration Enforcement setting is enabled, preventing client-side overrides.
If there is an option to allow client-side overrides in the Workgroup configuration, disable it to enforce the configuration.
Using AWS CLI:
To describe the workgroup and check if client-side configuration overrides are disabled, run:
aws athena get-workgroup --workgroup <workgroup-name> --query 'WorkGroup'
In the output, look for ConfigurationEnforced and ensure that it is set to true, meaning the settings are enforced:
If ConfigurationEnforced is false, client-side settings can override the workgroup configuration, and this must be corrected.
Example output:
{
"WorkGroup": {
"Name": "my-athena-workgroup",
"ConfigurationEnforced": true,
"QueryResultsConfiguration": {
"OutputLocation": "s3://athena-query-results/"
},
"EncryptionConfiguration": {
"EncryptionOption": "SSE-KMS",
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234"
}
}
}Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Amazon Athena.
In the Athena Dashboard, go to Workgroups and select the workgroup to modify.
In the Workgroup Details, locate the Configuration Enforcement section.
Ensure that Workgroup Configuration Enforcement is enabled, preventing client-side overrides.
This ensures that the workgroup's settings cannot be changed by the client, such as overriding encryption settings, output location, or query timeouts.
Save the changes to enforce the workgroup configuration.
Using AWS CLI:
To enable configuration enforcement, run the following command:
aws athena update-workgroup \ --workgroup <workgroup-name> \
--configuration-updates '{"WorkgroupConfiguration": {"ConfigurationEnforced": true}}'To verify the update, run:
aws athena get-workgroup --workgroup <workgroup-name> --query 'WorkGroup.ConfigurationEnforced'
Ensure that ConfigurationEnforced is set to true, indicating that client-side settings cannot override workgroup configurations.
Backout Plan:
If enforcing workgroup settings causes issues (e.g., query failures or application errors):
Identify the affected workgroup.
To disable configuration enforcement, run:
aws athena update-workgroup \
--workgroup <workgroup-name> \
--configuration-updates '{"WorkgroupConfiguration": {"ConfigurationEnforced": false}}'Verify that the workgroup configuration enforcement has been disabled and that client-side settings can be overridden.
Note :
Monitor Workgroup Activity: Regularly review the workgroup configurations to ensure they are in line with organizational security policies.
Auditing and Logging: Use AWS CloudTrail to monitor and audit changes to workgroup settings and ensure that no unauthorized changes are made.
Testing: After enforcing the configuration, test queries executed under the workgroup to ensure that the configuration is applied and client-side overrides are disabled.
References:
CIS Controls Mapping: