AWS Athena Workgroup
This page shows how to write Terraform and CloudFormation for Athena Workgroup and write them securely.
aws_athena_workgroup (Terraform)
The Workgroup in Athena can be configured in Terraform with the resource name aws_athena_workgroup. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_athena_workgroup" "allowed" {
}
resource "aws_athena_workgroup" "allowed_2" {
configuration {}
}
resource "aws_athena_workgroup" "pass" {
name = "wg-encrypted"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
resource "aws_athena_workgroup" "pass" {
name = "wg-encrypted"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
resource "aws_athena_workgroup" "example_master_workgroup" {
name = "example_master_workgroup"
configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true
Security Best Practices for aws_athena_workgroup
There is 1 setting in aws_athena_workgroup that should be taken care of for security reasons. The following section explain an overview and example code.
Enable Athena workgroup configuration enforcement
Parameters
-
arnoptional computed - string -
descriptionoptional - string -
force_destroyoptional - bool -
idoptional computed - string -
namerequired - string -
stateoptional - string -
tagsoptional - map from string to string -
configurationlist block-
bytes_scanned_cutoff_per_queryoptional - number -
enforce_workgroup_configurationoptional - bool -
publish_cloudwatch_metrics_enabledoptional - bool -
result_configurationlist block-
output_locationoptional - string -
encryption_configurationlist block-
encryption_optionoptional - string -
kms_key_arnoptional - string
-
-
-
Explanation in Terraform Registry
Provides an Athena Workgroup.
Tips: Best Practices for The Other AWS Athena Resources
In addition to the aws_athena_database, AWS Athena has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_athena_database
Ensure to enable at rest encryption of Athena database
It is better to enable at rest encryption of Athena database. Encryption reduces the risk of data leakage.
AWS::Athena::WorkGroup (CloudFormation)
The WorkGroup in Athena can be configured in CloudFormation with the resource name AWS::Athena::WorkGroup. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Athena::WorkGroup
Properties:
Description: Workgroup para engenheiros de dados executarem queries
Name: athena-data-engineer-workgroup
RecursiveDeleteOption: False
State: ENABLED
Type: AWS::Athena::WorkGroup
Properties:
Description: Workgroup para engenheiros de dados executarem queries
Name: athena-data-engineer-workgroup
RecursiveDeleteOption: False
State: ENABLED
Type: AWS::Athena::WorkGroup
Properties:
Description: Workgroup para engenheiros de dados executarem queries
Name: athena-data-engineer-workgroup
RecursiveDeleteOption: False
State: ENABLED
Type: AWS::Athena::WorkGroup
Properties:
Description: Workgroup para engenheiros de dados executarem queries
Name: athena-data-engineer-workgroup
RecursiveDeleteOption: False
State: ENABLED
Type: AWS::Athena::WorkGroup
Properties:
Name: ${self:custom.analytics_workgroup}
Description: WorkGroup limited to Analytics team
State: ENABLED
WorkGroupConfiguration:
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Name": "HelloWorld",
"Description": "A WorkGroup",
"RecursiveDeleteOption": true,
"State": "ENABLED",
"AWS::Athena::WorkGroup": {
"Type": "AWS::Athena::WorkGroup",
"Properties": {}
},
"AWS::Route53Resolver::FirewallRuleGroup": {
"Type": "AWS::Route53Resolver::FirewallRuleGroup",
"AWS::Athena::WorkGroup.Tags": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-athena-workgroup-tags.html",
"Properties": {
"Tags": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-athena-workgroup-tags.html#cfn-athena-workgroup-tags-tags",
"UpdateType": "Mutable",
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Name": "MyCustomWorkGroup",
"Description": "My WorkGroup",
"State": "ENABLED",
"WorkGroupConfiguration": {
"Type": "AWS::Athena::WorkGroup",
"Properties": {
"Name": "tnc-wg",
"Description": "talkncloud demo for federated queries",
"WorkGroupConfiguration": {
"EnforceWorkGroupConfiguration": true,
Parameters
-
Namerequired - String -
Descriptionoptional - String -
Tagsoptional - List of Tag -
WorkGroupConfigurationoptional - WorkGroupConfiguration -
WorkGroupConfigurationUpdatesoptional - WorkGroupConfigurationUpdates -
Stateoptional - String -
RecursiveDeleteOptionoptional - Boolean
Explanation in CloudFormation Registry
The AWS::Athena::WorkGroup resource specifies an Amazon Athena workgroup, which contains a name, description, creation time, state, and other configuration, listed under WorkGroupConfiguration. Each workgroup enables you to isolate queries for you or your group from other queries in the same account. For more information, see CreateWorkGroup in the Amazon Athena API Reference.
Frequently asked questions
What is AWS Athena Workgroup?
AWS Athena Workgroup is a resource for Athena of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Athena Workgroup?
For Terraform, the snyk-labs/infrastructure-as-code-goof, sprathod369/iac-example and melscoop-test/check source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the marianabernado/bootcamp-eng-dados, gabrielosluz/engenharia-de-dados and Miyake-Diogo/Data_Engineering_Bootcamp source code examples are useful. See the CloudFormation Example section for further details.
