Security Recommendations

The following section provides recommendations on configuring Amazon Athena for querying PII Data protected by Protegrity Athena Protector.

Security is a shared responsibility between AWS and you. When using PII Data in Amazon Athena, it is essential to understand the best practices and keep your Data always protected. In this section, we summarize the configuration needed when using Amazon Athena.

To read more on Amazon Shared responsibility on Amazon Athena, visit Amazon Athena Security - Amazon Athena

Logging and Monitoring

Enable AWS CloudTrail to audit all calls made to Athena API.

For more information, visit Logging Amazon Athena API Calls with AWS CloudTrail - Amazon Athena .

Encryption at rest

AWS S3 buckets

Amazon Athena lets you run queries on encrypted data stored in Amazon S3 repositories in the same region. Make sure you enable Amazon S3 encryption options supported by Amazon Athena.

For more information, visit Creating Tables Based on Encrypted Datasets in Amazon S3 - Amazon Athena .

Query Results and Query History

Amazon Athena saves the query history in an S3 bucket. If you unprotect data using Amazon Athena Protector, Amazon Athena saves the results (the unprotected data) in an S3 bucket. The query history is viewable by anyone with IAM permissions on the bucket. To remediate, we suggest the following configurations.

Setting Amazon Athena Workgroup

You should set up the Amazon Athena Workgroup S3 staging directory and overwrite Client-side settings. It ensures all users comply with the S3 staging directory and encryption setting for the results. Restrict the IAM access to the bucket to the minimum required for Amazon Athena to work.

Amazon S3 lifecycle policy

Amazon Athena’s defaults configuration is to store the results for 45 days, and we suggest reducing it to the minimum (1 day) using the Amazon S3 lifecycle policy.

For more infromation, visit Working with Query Results, Output Files, and Query History - Amazon Athena

Encrypt Glue Catalog

Amazon Athena has integration with AWS Glue Data Catalog. If you use it, you can enable encryption in the AWS Glue Data Catalog. It doesn’t encrypt the data, only the Athena table definition. It provides another layer of security on where your data exists and what it includes.

For more information, visit Encrypting Your Data Catalog. Access from Athena to Encrypted Metadata in the AWS Glue Data Catalog - Amazon Athena.

Encryption in transit

To allow only encrypted connections with HTTPS (TLS), you can apply the aws:SecureTransport condition on S3 buckets IAM policies.

Access Control

Resources

Make sure you provide the least privilege access control to Amazon Athena workgroup, S3 buckets, Protegrity Protect Lambda function, AWS KMS (If used for data encryption at rest).

For more information, visit Identity and Access Management in Athena - Amazon Athena .

Granting access to use the Cloud Protect UDF

The ability to use the Cloud Protect UDF from Athena is controlled through IAM permissions. The Athena user/role must have the InvokeFunction permission to the Cloud Protect Lambda function as shown in the following example:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
      { 
            "Sid": "ProtectLambdaFunction", 
            "Effect": "Allow", 
            "Action": "lambda:InvokeFunction", 
            "Resource": "<PROTECT_FUNCTION_ARN>" 
       } 
    ] 
}

The policy above would be used in addition to any other IAM policies required to use Amazon Athena. Refer to the AWS Athena example policy for a typical IAM policy.

Separate Workgroups

Create separate Workgroups based on the privacy controls. It provides more control on who can see the Query History and access unprotected data stored there.

For more information, visit Using Workgroups to Control Query Access and Costs - Amazon Athena .

AWS Lake Formation

Amazon Athena can benefit from AWS Lake Formation table and column access policies. It is another layer of security before Protegrity Protect Function and reduces unauthorized requests.

For more information, visit Using Athena to Query Data Registered With AWS Lake Formation - Amazon Athena .