---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# aws_athena_workgroup{% #aws_athena_workgroup %}

## `account_id`{% #account_id %}

**Type**: `STRING`

## `configuration`{% #configuration %}

**Type**: `STRUCT`**Provider name**: `Configuration`**Description**: The configuration of the workgroup, which includes the location in Amazon S3 where query and calculation results are stored, the encryption configuration, if any, used for query and calculation results; whether the Amazon CloudWatch Metrics are enabled for the workgroup; whether workgroup settings override client-side settings; and the data usage limits for the amount of data scanned per query or per workgroup. The workgroup settings override is specified in `EnforceWorkGroupConfiguration` (true/false) in the `WorkGroupConfiguration`. See WorkGroupConfiguration$EnforceWorkGroupConfiguration.

- `additional_configuration`**Type**: `STRING`**Provider name**: `AdditionalConfiguration`**Description**: Specifies a user defined JSON string that is passed to the notebook engine.
- `bytes_scanned_cutoff_per_query`**Type**: `INT64`**Provider name**: `BytesScannedCutoffPerQuery`**Description**: The upper data usage limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan.
- `customer_content_encryption_configuration`**Type**: `STRUCT`**Provider name**: `CustomerContentEncryptionConfiguration`**Description**: Specifies the KMS key that is used to encrypt the user's data stores in Athena. This setting does not apply to Athena SQL workgroups.
  - `kms_key`**Type**: `STRING`**Provider name**: `KmsKey`**Description**: The customer managed KMS key that is used to encrypt the user's data stores in Athena.
- `enable_minimum_encryption_configuration`**Type**: `BOOLEAN`**Provider name**: `EnableMinimumEncryptionConfiguration`**Description**: Enforces a minimal level of encryption for the workgroup for query and calculation results that are written to Amazon S3. When enabled, workgroup users can set encryption only to the minimum level set by the administrator or higher when they submit queries. The `EnforceWorkGroupConfiguration` setting takes precedence over the `EnableMinimumEncryptionConfiguration` flag. This means that if `EnforceWorkGroupConfiguration` is true, the `EnableMinimumEncryptionConfiguration` flag is ignored, and the workgroup configuration for encryption is used.
- `enforce_work_group_configuration`**Type**: `BOOLEAN`**Provider name**: `EnforceWorkGroupConfiguration`**Description**: If set to "true", the settings for the workgroup override client-side settings. If set to "false", client-side settings are used. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html).
- `engine_version`**Type**: `STRUCT`**Provider name**: `EngineVersion`**Description**: The engine version that all queries running on the workgroup use. Queries on the `AmazonAthenaPreviewFunctionality` workgroup run on the preview engine regardless of this setting.
  - `effective_engine_version`**Type**: `STRING`**Provider name**: `EffectiveEngineVersion`**Description**: Read only. The engine version on which the query runs. If the user requests a valid engine version other than Auto, the effective engine version is the same as the engine version that the user requested. If the user requests Auto, the effective engine version is chosen by Athena. When a request to update the engine version is made by a `CreateWorkGroup` or `UpdateWorkGroup` operation, the `EffectiveEngineVersion` field is ignored.
  - `selected_engine_version`**Type**: `STRING`**Provider name**: `SelectedEngineVersion`**Description**: The engine version requested by the user. Possible values are determined by the output of `ListEngineVersions`, including AUTO. The default is AUTO.
- `execution_role`**Type**: `STRING`**Provider name**: `ExecutionRole`**Description**: The ARN of the execution role used to access user resources for Spark sessions and IAM Identity Center enabled workgroups. This property applies only to Spark enabled workgroups and IAM Identity Center enabled workgroups. The property is required for IAM Identity Center enabled workgroups.
- `identity_center_configuration`**Type**: `STRUCT`**Provider name**: `IdentityCenterConfiguration`**Description**: Specifies whether the workgroup is IAM Identity Center supported.
  - `enable_identity_center`**Type**: `BOOLEAN`**Provider name**: `EnableIdentityCenter`**Description**: Specifies whether the workgroup is IAM Identity Center supported.
  - `identity_center_instance_arn`**Type**: `STRING`**Provider name**: `IdentityCenterInstanceArn`**Description**: The IAM Identity Center instance ARN that the workgroup associates to.
- `publish_cloud_watch_metrics_enabled`**Type**: `BOOLEAN`**Provider name**: `PublishCloudWatchMetricsEnabled`**Description**: Indicates that the Amazon CloudWatch metrics are enabled for the workgroup.
- `query_results_s3_access_grants_configuration`**Type**: `STRUCT`**Provider name**: `QueryResultsS3AccessGrantsConfiguration`**Description**: Specifies whether Amazon S3 access grants are enabled for query results.
  - `authentication_type`**Type**: `STRING`**Provider name**: `AuthenticationType`**Description**: The authentication type used for Amazon S3 access grants. Currently, only `DIRECTORY_IDENTITY` is supported.
  - `create_user_level_prefix`**Type**: `BOOLEAN`**Provider name**: `CreateUserLevelPrefix`**Description**: When enabled, appends the user ID as an Amazon S3 path prefix to the query result output location.
  - `enable_s3_access_grants`**Type**: `BOOLEAN`**Provider name**: `EnableS3AccessGrants`**Description**: Specifies whether Amazon S3 access grants are enabled for query results.
- `requester_pays_enabled`**Type**: `BOOLEAN`**Provider name**: `RequesterPaysEnabled`**Description**: If set to `true`, allows members assigned to a workgroup to reference Amazon S3 Requester Pays buckets in queries. If set to `false`, workgroup members cannot query data from Requester Pays buckets, and queries that retrieve data from Requester Pays buckets cause an error. The default is `false`. For more information about Requester Pays buckets, see [Requester Pays Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html) in the Amazon Simple Storage Service Developer Guide.
- `result_configuration`**Type**: `STRUCT`**Provider name**: `ResultConfiguration`**Description**: The configuration for the workgroup, which includes the location in Amazon S3 where query and calculation results are stored and the encryption option, if any, used for query and calculation results. To run the query, you must specify the query results location using one of the ways: either in the workgroup using this setting, or for individual queries (client-side), using ResultConfiguration$OutputLocation. If none of them is set, Athena issues an error that no output location is provided.
  - `acl_configuration`**Type**: `STRUCT`**Provider name**: `AclConfiguration`**Description**: Indicates that an Amazon S3 canned ACL should be set to control ownership of stored query results. Currently the only supported canned ACL is `BUCKET_OWNER_FULL_CONTROL`. This is a client-side setting. If workgroup settings override client-side settings, then the query uses the ACL configuration that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. For more information, see WorkGroupConfiguration$EnforceWorkGroupConfiguration and [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html).
    - `s3_acl_option`**Type**: `STRING`**Provider name**: `S3AclOption`**Description**: The Amazon S3 canned ACL that Athena should specify when storing query results. Currently the only supported canned ACL is `BUCKET_OWNER_FULL_CONTROL`. If a query runs in a workgroup and the workgroup overrides client-side settings, then the Amazon S3 canned ACL specified in the workgroup's settings is used for all queries that run in the workgroup. For more information about Amazon S3 canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl) in the Amazon S3 User Guide.
  - `encryption_configuration`**Type**: `STRUCT`**Provider name**: `EncryptionConfiguration`**Description**: If query and calculation results are encrypted in Amazon S3, indicates the encryption option used (for example, `SSE_KMS` or `CSE_KMS`) and key information. This is a client-side setting. If workgroup settings override client-side settings, then the query uses the encryption configuration that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration and [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html).
    - `encryption_option`**Type**: `STRING`**Provider name**: `EncryptionOption`**Description**: Indicates whether Amazon S3 server-side encryption with Amazon S3-managed keys (`SSE_S3`), server-side encryption with KMS-managed keys (`SSE_KMS`), or client-side encryption with KMS-managed keys (`CSE_KMS`) is used. If a query runs in a workgroup and the workgroup overrides client-side settings, then the workgroup's setting for encryption is used. It specifies whether query results must be encrypted, for all queries that run in this workgroup.
    - `kms_key`**Type**: `STRING`**Provider name**: `KmsKey`**Description**: For `SSE_KMS` and `CSE_KMS`, this is the KMS key ARN or ID.
  - `expected_bucket_owner`**Type**: `STRING`**Provider name**: `ExpectedBucketOwner`**Description**: The Amazon Web Services account ID that you expect to be the owner of the Amazon S3 bucket specified by ResultConfiguration$OutputLocation. If set, Athena uses the value for `ExpectedBucketOwner` when it makes Amazon S3 calls to your specified output location. If the `ExpectedBucketOwner` Amazon Web Services account ID does not match the actual owner of the Amazon S3 bucket, the call fails with a permissions error. This is a client-side setting. If workgroup settings override client-side settings, then the query uses the `ExpectedBucketOwner` setting that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration and [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html).
  - `output_location`**Type**: `STRING`**Provider name**: `OutputLocation`**Description**: The location in Amazon S3 where your query and calculation results are stored, such as `s3://path/to/query/bucket/`. To run the query, you must specify the query results location using one of the ways: either for individual queries using either this setting (client-side), or in the workgroup, using WorkGroupConfiguration. If none of them is set, Athena issues an error that no output location is provided. If workgroup settings override client-side settings, then the query uses the settings specified for the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration.

## `creation_time`{% #creation_time %}

**Type**: `TIMESTAMP`**Provider name**: `CreationTime`**Description**: The date and time the workgroup was created.

## `description`{% #description %}

**Type**: `STRING`**Provider name**: `Description`**Description**: The workgroup description.

## `identity_center_application_arn`{% #identity_center_application_arn %}

**Type**: `STRING`**Provider name**: `IdentityCenterApplicationArn`**Description**: The ARN of the IAM Identity Center enabled application associated with the workgroup.

## `name`{% #name %}

**Type**: `STRING`**Provider name**: `Name`**Description**: The workgroup name.

## `state`{% #state %}

**Type**: `STRING`**Provider name**: `State`**Description**: The state of the workgroup: ENABLED or DISABLED.

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `workgroup_arn`{% #workgroup_arn %}

**Type**: `STRING`