AWS Athena Workgroup
This page shows how to write Terraform and CloudFormation for Athena Workgroup and write them securely.
aws_athena_workgroup (Terraform)
The Workgroup in Athena can be configured in Terraform with the resource name aws_athena_workgroup
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_athena_workgroup" "allowed" {
}
resource "aws_athena_workgroup" "allowed_2" {
configuration {}
}
resource "aws_athena_workgroup" "pass" {
name = "wg-encrypted"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
resource "aws_athena_workgroup" "pass" {
name = "wg-encrypted"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
resource "aws_athena_workgroup" "example_master_workgroup" {
name = "example_master_workgroup"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
Security Best Practices for aws_athena_workgroup
There is 1 setting in aws_athena_workgroup that should be taken care of for security reasons. The following section explain an overview and example code.
Enable Athena workgroup configuration enforcement
Parameters
-
arn
optional computed - string -
description
optional - string -
force_destroy
optional - bool -
id
optional computed - string -
name
required - string -
state
optional - string -
tags
optional - map from string to string -
configuration
list block-
bytes_scanned_cutoff_per_query
optional - number -
enforce_workgroup_configuration
optional - bool -
publish_cloudwatch_metrics_enabled
optional - bool -
result_configuration
list block-
output_location
optional - string -
encryption_configuration
list block-
encryption_option
optional - string -
kms_key_arn
optional - string
-
-
-
Explanation in Terraform Registry
Provides an Athena Workgroup.
Tips: Best Practices for The Other AWS Athena Resources
In addition to the aws_athena_database, AWS Athena has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_athena_database
Ensure to enable at rest encryption of Athena database
It is better to enable at rest encryption of Athena database. Encryption reduces the risk of data leakage.
AWS::Athena::WorkGroup (CloudFormation)
The WorkGroup in Athena can be configured in CloudFormation with the resource name AWS::Athena::WorkGroup
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Athena::WorkGroup
Properties:
Description: Workgroup para engenheiros de dados executarem queries
Name: athena-data-engineer-workgroup
RecursiveDeleteOption: False
State: ENABLED
Type: AWS::Athena::WorkGroup
Properties:
Description: Workgroup para engenheiros de dados executarem queries
Name: athena-data-engineer-workgroup
RecursiveDeleteOption: False
State: ENABLED
Type: AWS::Athena::WorkGroup
Properties:
Description: Workgroup para engenheiros de dados executarem queries
Name: athena-data-engineer-workgroup
RecursiveDeleteOption: False
State: ENABLED
Type: AWS::Athena::WorkGroup
Properties:
Description: Workgroup para engenheiros de dados executarem queries
Name: athena-data-engineer-workgroup
RecursiveDeleteOption: False
State: ENABLED
Type: AWS::Athena::WorkGroup
Properties:
Name: ${self:custom.analytics_workgroup}
Description: WorkGroup limited to Analytics team
State: ENABLED
WorkGroupConfiguration:
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Name": "HelloWorld",
"Description": "A WorkGroup",
"RecursiveDeleteOption": true,
"State": "ENABLED",
"AWS::Athena::WorkGroup": {
"Type": "AWS::Athena::WorkGroup",
"Properties": {}
},
"AWS::Route53Resolver::FirewallRuleGroup": {
"Type": "AWS::Route53Resolver::FirewallRuleGroup",
"AWS::Athena::WorkGroup.Tags": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-athena-workgroup-tags.html",
"Properties": {
"Tags": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-athena-workgroup-tags.html#cfn-athena-workgroup-tags-tags",
"UpdateType": "Mutable",
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Name": "MyCustomWorkGroup",
"Description": "My WorkGroup",
"State": "ENABLED",
"WorkGroupConfiguration": {
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Name": "tnc-wg",
"Description": "talkncloud demo for federated queries",
"WorkGroupConfiguration": {
"EnforceWorkGroupConfiguration": true,
Parameters
-
Name
required - String -
Description
optional - String -
Tags
optional - List of Tag -
WorkGroupConfiguration
optional - WorkGroupConfiguration -
WorkGroupConfigurationUpdates
optional - WorkGroupConfigurationUpdates -
State
optional - String -
RecursiveDeleteOption
optional - Boolean
Explanation in CloudFormation Registry
The AWS::Athena::WorkGroup resource specifies an Amazon Athena workgroup, which contains a name, description, creation time, state, and other configuration, listed under WorkGroupConfiguration. Each workgroup enables you to isolate queries for you or your group from other queries in the same account. For more information, see CreateWorkGroup in the Amazon Athena API Reference.
Frequently asked questions
What is AWS Athena Workgroup?
AWS Athena Workgroup is a resource for Athena of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Athena Workgroup?
For Terraform, the snyk-labs/infrastructure-as-code-goof, sprathod369/iac-example and melscoop-test/check source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the marianabernado/bootcamp-eng-dados, gabrielosluz/engenharia-de-dados and Miyake-Diogo/Data_Engineering_Bootcamp source code examples are useful. See the CloudFormation Example section for further details.