Athena workgroups should enforce configuration to prevent client disabling encryption

Explanation

Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.

Possible Impact

Clients can ignore encryption requirements

Suggested Resolution

Enforce the configuration to prevent client overrides

Insecure Example

The following example will fail the AVD-AWS-0007 check.

---
Resources:
  BadExample:
    Properties:
      Name: badExample
      WorkGroupConfiguration:
        EnforceWorkGroupConfiguration: false
        ResultConfiguration:
          EncryptionConfiguration:
            EncryptionOption: SSE_KMS
    Type: AWS::Athena::WorkGroup

Secure Example

The following example will pass the AVD-AWS-0007 check.

---
Resources:
  GoodExample:
    Properties:
      Name: goodExample
      WorkGroupConfiguration:
        EnforceWorkGroupConfiguration: true
        ResultConfiguration:
          EncryptionConfiguration:
            EncryptionOption: SSE_KMS
    Type: AWS::Athena::WorkGroup


Getting Started
Services