Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Encryption for AWS Athena Query Results

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3 in order to secure data and meet compliance requirements for data-at-rest encryption. AWS Athena supports the following S3 encryption options: Server Side Encryption (SSE) with an Amazon S3-managed key (SSE-S3), SSE with a AWS Key Management Service customer managed key (SSE-KMS) and Client-Side Encryption (CSE) with a AWS KMS customer managed key (CSE-KMS).

Security

Athena is an interactive query service managed by AWS that lets you use standard SQL to analyze data directly in Amazon S3. Encryption of data while in transit between Amazon Athena and S3 is provided by default using SSL/TLS, however encryption of query results at rest is not enabled by default. The encryption at rest feature available for AWS Athena query results provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage (i.e. Amazon S3).


Audit

To determine if your AWS Athena query results have data-at-rest encryption enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Athena dashboard at https://console.aws.amazon.com/athena/.

03 Click the Setting link from the dashboard top-right menu to access the service configuration settings.

04 Within Setting dialog box, check the Encrypt query results setting status. If Encrypt query results checkbox is not selected, the feature is disabled, therefore your AWS Athena query results, stored in Amazon S3, are not encrypted at rest.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Each time a query executes in AWS Athena, information about the query execution is saved with a unique ID. Run list-query-executions command (OSX/Linux/UNIX) using custom query filters to expose the IDs of the SQL queries executed by Amazon Athena in the selected AWS region:

aws athena list-query-executions
    --region us-east-1
    --query 'QueryExecutionIds'

02 The command output should return the query execution IDs currently available:

[
    "1234abcd-1234-abcd-1234-abcd1234abcd",
    "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
    "aabbccdd-aabb-ccdd-aabb-aabbccddaabb"
]

03 Run get-query-execution command (OSX/Linux/UNIX) using the ID of the query execution that you want to examine as identifier and custom query filters to return the encryption configuration details for the selected execution:

aws athena get-query-execution
    --region us-east-1
    --query-execution-id 1234abcd-1234-abcd-1234-abcd1234abcd
    --query 'QueryExecution.ResultConfiguration.EncryptionConfiguration'

04 The command output should return the requested information:

null

If get-query-execution command output returns null, as shown in the example above, there is no encryption configuration defined for the query execution, therefore your AWS Athena query results, stored in Amazon S3 after execution, are not encrypted at rest.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the audit process for other regions.

Remediation / Resolution

To enable data-at-rest encryption for your AWS Athena query results stored in Amazon S3, perform the following actions:

Note: Enabling data-at-rest encryption for Amazon Athena query results using the AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your Athena query results are stored).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt Athena query results with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the query results. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: <cmk-alias>”.

12 Click on the newly created CMK alias (link) to access the key configuration details.

13 In the Summary section, copy the Amazon Resource Name (ARN) assigned to the new key.

14 Navigate to Amazon Athena dashboard at https://console.aws.amazon.com/athena/.

15 Click the Setting link from the dashboard top-right menu to access the service configuration settings.

16 Inside the Setting dialog box, select the Encrypt query results checkbox to enable the encryption at rest feature and choose one of the following encryption options from the Encryption type dropdown list:

  1. CSE-KMS – to implement Client-Side Encryption using the AWS KMS Customer Master Key (CMK) created earlier. Select Enter a KMS key ARN from the Encryption key dropdown list and paste the ARN copied at step no. 13 in the KMS key ARN box. Click Save to apply the changes.
  2. SSE-KMS – to enable Server-Side Encryption using the AWS KMS CMK created earlier in the remediation/resolution section. Select Enter a KMS key ARN from the Encryption key dropdown list and paste the ARN copied at step no. 13 in the KMS key ARN box. Click the Save button to apply the configuration changes.
  3. SSE-S3 – to implement Server-Side Encryption (SSE) using an Amazon S3-managed key. Click Save to apply the changes.

17 Change the AWS region from the navigation bar to repeat the entire remediation/resolution process for the other regions.

References

Publication date Jan 24, 2019