Ensure that logging is enabled for Amazon Athena workgroups to capture query activity.
athena_workgroup_logging_enabled
Enabling logging for a workgroup provides valuable insights into query activity, including user actions, query execution details, and potential security events.
Risk
Without logging enabled, it can be difficult to track and investigate potential security incidents or unauthorized access to Athena data. This can lead to data breaches, compliance violations, and increased security risks.
Run this check with Prowler CLI
prowler aws --checks athena_workgroup_logging_enabled
ARN template
arn:partition:athena:region:account-id:workgroup/resource-id
Remediation
https://docs.aws.amazon.com/securityhub/latest/userguide/athena-controls.html#athena-4
Enable logging for your Athena workgroups to capture query activity and enhance security monitoring. Configure the output location for logs in a secure S3 bucket and ensure appropriate encryption is applied.
Source Code
Resource Type
AwsAthenaWorkGroup