Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Athena

Athena.4: Athena query access is not logged

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Athena.4 check?

Athena.4 fails when an Athena workgroup does not have logging enabled — specifically when CloudWatch metrics and the query-history configuration that captures query strings, results, and metrics aren't turned on for the workgroup.

Why does Athena.4 matter?

People assume CloudTrail covers Athena, but it only records the StartQueryExecution call — the QueryString is truncated for long queries and not always present. You can have a clean trail showing 400 queries ran last month and still have no idea what any of them asked for. Athena's own query history is where the query text, data scanned, and rows returned actually live — the detail you need to audit access to sensitive data.

How do I fix Athena.4?

  1. Inventory workgroups and find those without metrics/logging enabled.
  2. Enable CloudWatch metrics and configure the workgroup's result and query-history settings via update-work-group.
  3. Set EnforceWorkGroupConfiguration so users can't override the logging settings per query.
  4. Plan retention beyond Athena's 45-day query-history default if you need a longer audit window.

Remediation script · bash

# Verify the prerequisite first: API Gateway's account-level CloudWatch role.
# Without it, the logging setting saves but no logs ever flow.
aws apigateway get-account --query 'cloudwatchRoleArn' --output text

# Enable ERROR-level execution logging on every stage of a REST API.
REST_API=a1b2c3d4e5
for STAGE in $(aws apigateway get-stages --rest-api-id $REST_API \
  --query 'item[].stageName' --output text); do
  aws apigateway update-stage --rest-api-id $REST_API --stage-name $STAGE \
    --patch-operations op=replace,path=/*/*/logging/loglevel,value=ERROR
done

# Cap retention on the log group so storage stays bounded (do this every time you enable logging).
aws logs put-retention-policy \
  --log-group-name "API-Gateway-Execution-Logs_${REST_API}/prod" \
  --retention-in-days 90

# Example for a managed database: publish engine logs to CloudWatch (no per-event charge).
aws rds modify-db-instance --db-instance-identifier prod-db \
  --cloudwatch-logs-export-configuration 'EnableLogTypes=["error","audit"]' --apply-immediately

Full walkthrough (console steps, edge cases and verification) in the lesson Enable application and API logging.

Full lesson Enable application and API logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Athena controls ↗ Check your own account for Athena.4 →
Part of the learning path See what's happening