Configuring Encryption Options

You can use Athena to query encrypted data in Amazon S3 by indicating data encryption when you create a table. You can also choose to encrypt the results of all queries in Amazon S3, which Athena stores in a location known as the S3 staging directory. You can encrypt query results stored in Amazon S3 whether the underlying data set is encrypted in Amazon S3 or not. You set up query-result encryption using the Athena console or, if you connect using the JDBC driver, by configuring driver options. You specify the type of encryption to use and the Amazon S3 staging directory location. Query-result encryption applies to all queries.

These options encrypt data at rest in Amazon S3. Regardless of whether you use these options, transport layer security (TLS) encrypts objects in-transit between Athena resources and between Athena and Amazon S3. Query results stream to JDBC clients as plaintext and are encrypted using SSL.

Important

The setup for querying an encrypted data set in Amazon S3 and the options in Athena to encrypt query results are independent. Each option is enabled and configured separately. You can use different encryption methods or keys for each. This means that reading encrypted data in Amazon S3 doesn't automatically encrypt Athena query results in Amazon S3. The opposite is also true. Encrypting Athena query results in Amazon S3 doesn't encrypt the underlying data set in Amazon S3.

Athena supports the following S3 encryption options, both for encrypted data sets in Amazon S3 and for encrypted query results:

  • Server side encryption with an Amazon S3-managed key (SSE-S3)
  • Server-side encryption with a AWS KMS-managed key (SSE-KMS)
  • Client-side encryption with a AWS KMS-managed key (CSE-KMS)

Athena does not support SSE with customer-provided keys (SSE-C), nor does it support client-side encryption using a client-side master key. To compare Amazon S3 encryption options, see Protecting Data Using Encryption in the Amazon Simple Storage Service Developer Guide. For more information about AWS KMS encryption with Amazon S3, see What is AWS Key Management Service and How Amazon Simple Storage Service (Amazon S3) Uses AWS KMS in the AWS Key Management Service Developer Guide.

Permissions for Encrypting and Decrypting Data#

If you use SSE-S3 for encryption, Athena users require no additional permissions for encryption and decryption. Having the appropriate Amazon S3 permissions for the appropriate Amazon S3 location (and for Athena actions) is enough. For more information about user-based policies that allow appropriate Athena and Amazon S3 permissions, see Managed policies and Amazon S3 Permissions.

For data that is encrypted using AWS KMS, Athena users must be allowed to perform particular AWS KMS actions in addition to Athena and S3 permissions. You allow these actions by editing the key policy for the KMS customer master keys (CMKs) that are used to encrypt data in Amazon S3. The easiest way to do this is to use the IAM console to add key users to the appropriate KMS key policies. For information about how to add a user to a KMS key policy, see How to Modify a Key Policy in the AWS Key Management Service Developer Guide.

Tip

Advanced key policy administrators may want to fine-tune key policies. kms:Decrypt is the minimum allowed action for an Athena user to work with an encrypted data set. To work with encrypted query results, the minimum allowed actions are kms:GenerateDataKey and kms:Decrypt.

When using Athena to query data sets in Amazon S3 with a large number of objects that are encrypted with AWS KMS, AWS KMS may throttle query results. This is more likely when there are a large number of small objects. Athena backs off retry requests, but a throttling error might still occur. In this case, visit the AWS Support Center and create a case to increase your limit. For more information about limits and AWS KMS throttling, see Limits in the AWS Key Management Service Developer Guide.

Creating Tables Based on Encrypted Data Sets in Amazon S3#

You indicate to Athena that a data set is encrypted in Amazon S3 when you create a table. Whether the data set is encrypted using SSE-S3 or KMS, Athena is able to determine the proper materials to use to decrypt the data set and create the table, so you don't need to provide key information. Users that run queries, including the user who creates the table, must have the appropriate permissions, as described earlier.

Indicate that the data set is encrypted in Amazon S3 in one of the following ways:

  • Use the create-table statement with a TBLPROPERTIES clause that specifies 'has_encrypted_data'='true'.

    _images/encrypt_has_encrypted.png
  • Use the JDBC driver and set the TBLPROPERTIES value as above when you execute create-table using statement.executeQuery().

  • Use the Add table wizard in the Athena console, and then choose Encrypted data set when you specify a value for Location of input data set.

    _images/encrypt_has_encrypted_console.png

Tables based on encrypted data in Amazon S3 appear in the Database list with an encryption icon.

_images/encrypted_table_icon.png

Encrypting Query Results Stored in Amazon S3#

You use the Athena console or JDBC driver properties to specify that query results, which Athena stores in the S3 staging directory, are encrypted in Amazon S3. This setting applies to all Athena query results. You can't configure the setting for individual databases, tables, or queries.

To encrypt query results stored in Amazon S3 using the console#

  1. In the Athena console, choose Settings.

    _images/settings.png _images/encrypt_query_results.png
  2. For Query result location, enter a custom value or leave the default. This is the Amazon S3 staging directory where query results are stored.

  3. Choose Encrypt query results.

  4. For Encryption type, choose CSE-KMS, SSE-KMS, or SSE-S3.

  5. If you chose SSE-KMS or CSE-KMS, for Encryption key, specify one of the following:

    • If your account has access to an existing KMS CMK, choose its alias.

      —OR—

    • Choose Enter a KMS key ARN and then enter an ARN.

      —OR—

    • To create a new KMS key, choose Create KMS key, use the IAM console to create the key, and then return to specify the key by alias or ARN as described earlier. For more information, see Creating Keys in the AWS Key Management Service Developer Guide.

  6. Choose Save.

To encrypt query results stored in Amazon S3 using the JDBC driver#

Use JDBC Driver Options to specify encryption settings as follows. For more information, see JDBC Driver Options.

  • s3_staging_dir specifies the location of query results in Amazon S3 (for example, s3://mybucket/myfolder/).
  • query_results_encryption_option specifies the encryption type: SSE_S3, SSE_KMS, or CSE_KMS.
  • query_results_aws_kms_key is required only if SSE-KMS or CSE-KMS are used. Use it to specify the KMS key ID, for example the ID 123abcde-4e56-56f7-g890-1234h5678i9j or the key ARN, for example arn:aws:kms:us-east-1:111122223333:key/123abcde-4e56-56f7-g890-1234h5678i9j.