AWS Athena Workgroup

This page shows how to write Terraform and CloudFormation for Athena Workgroup and write them securely.

aws_athena_workgroup (Terraform)

The Workgroup in Athena can be configured in Terraform with the resource name aws_athena_workgroup. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

aws_athena_workgroup_settings_allowed.tf#L1
resource "aws_athena_workgroup" "allowed" {
}

resource "aws_athena_workgroup" "allowed_2" {
  configuration {}
}
main.tf#L1
resource "aws_athena_workgroup" "pass" {
  name = "wg-encrypted"

  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true
main.tf#L1
resource "aws_athena_workgroup" "pass" {
  name = "wg-encrypted"

  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true
workgroup.tf#L2
resource "aws_athena_workgroup" "example_master_workgroup" {
  name = "example_master_workgroup"

  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_athena_workgroup

There is 1 setting in aws_athena_workgroup that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Enable Athena workgroup configuration enforcement

Athena workgroup configurations may be overridden by clients. It is better to enforce control over the workgroup.

Review your AWS Athena settings

You can check if the aws_athena_workgroup setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Provides an Athena Workgroup.

Tips: Best Practices for The Other AWS Athena Resources

In addition to the aws_athena_database, AWS Athena has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_athena_database

Ensure to enable at rest encryption of Athena database

It is better to enable at rest encryption of Athena database. Encryption reduces the risk of data leakage.

Review your AWS Athena settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Athena::WorkGroup (CloudFormation)

The WorkGroup in Athena can be configured in CloudFormation with the resource name AWS::Athena::WorkGroup. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

athena.yml#L6
    Type: AWS::Athena::WorkGroup
    Properties:
      Description: Workgroup para engenheiros de dados executarem queries
      Name: athena-data-engineer-workgroup
      RecursiveDeleteOption: False
      State: ENABLED
athena.yml#L6
    Type: AWS::Athena::WorkGroup
    Properties:
      Description: Workgroup para engenheiros de dados executarem queries
      Name: athena-data-engineer-workgroup
      RecursiveDeleteOption: False
      State: ENABLED
athena.yml#L6
    Type: AWS::Athena::WorkGroup
    Properties:
      Description: Workgroup para engenheiros de dados executarem queries
      Name: athena-data-engineer-workgroup
      RecursiveDeleteOption: False
      State: ENABLED
athena.yml#L6
    Type: AWS::Athena::WorkGroup
    Properties:
      Description: Workgroup para engenheiros de dados executarem queries
      Name: athena-data-engineer-workgroup
      RecursiveDeleteOption: False
      State: ENABLED
serverless.yml#L17
      Type: AWS::Athena::WorkGroup
      Properties:
        Name: ${self:custom.analytics_workgroup}
        Description: WorkGroup limited to Analytics team
        State: ENABLED
        WorkGroupConfiguration:
integ.workgroup.expected.json#L4
      "Type": "AWS::Athena::WorkGroup",
      "Properties": {
        "Name": "HelloWorld",
        "Description": "A WorkGroup",
        "RecursiveDeleteOption": true,
        "State": "ENABLED",
template.json#L2495
    "AWS::Athena::WorkGroup": {
      "Type": "AWS::Athena::WorkGroup",
      "Properties": {}
    },
    "AWS::Route53Resolver::FirewallRuleGroup": {
      "Type": "AWS::Route53Resolver::FirewallRuleGroup",
AthenaWorkGroupSpecification.json#L20
    "AWS::Athena::WorkGroup.Tags": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-athena-workgroup-tags.html",
      "Properties": {
        "Tags": {
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-athena-workgroup-tags.html#cfn-athena-workgroup-tags-tags",
          "UpdateType": "Mutable",
AthenaTableWithGlueDataCatalog.json#L179
          "Type": "AWS::Athena::WorkGroup",
          "Properties": {
            "Name": "MyCustomWorkGroup",
            "Description": "My WorkGroup",
            "State": "ENABLED",
            "WorkGroupConfiguration": {
AthenaAppsyncStack.template.json#L106
      "Type": "AWS::Athena::WorkGroup",
      "Properties": {
        "Name": "tnc-wg",
        "Description": "talkncloud demo for federated queries",
        "WorkGroupConfiguration": {
          "EnforceWorkGroupConfiguration": true,

Parameters

Explanation in CloudFormation Registry

The AWS::Athena::WorkGroup resource specifies an Amazon Athena workgroup, which contains a name, description, creation time, state, and other configuration, listed under WorkGroupConfiguration. Each workgroup enables you to isolate queries for you or your group from other queries in the same account. For more information, see CreateWorkGroup in the Amazon Athena API Reference.

Frequently asked questions

What is AWS Athena Workgroup?

AWS Athena Workgroup is a resource for Athena of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Athena Workgroup?

For Terraform, the snyk-labs/infrastructure-as-code-goof, sprathod369/iac-example and melscoop-test/check source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the gabrielosluz/engenharia-de-dados, Miyake-Diogo/Data_Engineering_Bootcamp and adrianosouzaa/engenharia-dados source code examples are useful. See the CloudFormation Example section for further details.