Check provider logo

Amazon Athena workgroup has CloudWatch logging enabled

athena_workgroup_logging_enabled

Severitymedium
Serviceathena
by Prowler
logging

Athena workgroups publish query metrics to CloudWatch. This evaluation determines whether each workgroup has query activity logging enabled in CloudWatch.

Risk

Without CloudWatch query logging, risky or anomalous queries go unobserved, weakening confidentiality and integrity. Compromised or insider accounts can exfiltrate data and alter datasets without timely detection, hampering forensics and containment.

Run this check with Prowler CLI

prowler aws --checks athena_workgroup_logging_enabled

Run in Prowler Cloud

Recommendation

Enable and enforce CloudWatch query logging for all workgroups (PublishCloudWatchMetricsEnabled).

  • Apply least privilege to logs and encrypt at rest
  • Set retention and anomaly alerts
  • Correlate with CloudTrail for user attribution
  • Centralize logs to a monitoring account

Remediation

CLI

aws athena update-work-group --work-group <WORKGROUP_NAME> --configuration-updates PublishCloudWatchMetricsEnabled=true

Native IAC
# CloudFormation to enable CloudWatch logging for an Athena workgroup
Resources:
  AthenaWorkGroup:
    Type: AWS::Athena::WorkGroup
    Properties:
      Name: <example_resource_name>
      WorkGroupConfiguration:
        PublishCloudWatchMetricsEnabled: true  # Critical: Enables CloudWatch logging for the workgroup
Terraform
# Enable CloudWatch logging for an Athena workgroup
resource "aws_athena_workgroup" "example" {
  name = "<example_resource_name>"

  configuration {
    publish_cloudwatch_metrics_enabled = true  # Critical: Enables CloudWatch logging
  }
}
Other
  1. Open the AWS Management Console and go to Amazon Athena
  2. In the left pane, click Workgroups and select the target workgroup
  3. Click Edit
  4. Check Publish query metrics to AWS CloudWatch
  5. Click Save

Source Code

Resource Type

AwsAthenaWorkGroup

References