Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3 in order to secure data and meet compliance requirements for data-at-rest encryption. AWS Athena supports the following S3 encryption options: Server Side Encryption (SSE) with an Amazon S3-managed key (SSE-S3), SSE with a AWS Key Management Service customer managed key (SSE-KMS) and Client-Side Encryption (CSE) with a AWS KMS customer managed key (CSE-KMS).
Athena is an interactive query service managed by AWS that lets you use standard SQL to analyze data directly in Amazon S3. Encryption of data while in transit between Amazon Athena and S3 is provided by default using SSL/TLS, however encryption of query results at rest is not enabled by default. The encryption at rest feature available for AWS Athena query results provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage (i.e. Amazon S3).
Audit
To determine if your AWS Athena query results have data-at-rest encryption enabled, perform the following actions:
Remediation / Resolution
To enable data-at-rest encryption for your AWS Athena query results stored in Amazon S3, perform the following actions:
Note: Enabling data-at-rest encryption for Amazon Athena query results using the AWS Command Line Interface (CLI) is not currently supported.References
- AWS Documentation
- Amazon Athena FAQs
- Configuring Encryption Options
- AWS Command Line Interface (CLI) Documentation
- athena
- list-query-executions
- get-query-execution