Encryption at Rest - Amazon Athena

Encryption at Rest

You can run queries in Amazon Athena on encrypted data in Amazon S3 in the same Region. You can also encrypt the query results in Amazon S3 and the data in the AWS Glue Data Catalog.

You can encrypt the following assets in Athena:

Note

The setup for querying an encrypted dataset in Amazon S3 and the options in Athena to encrypt query results are independent. Each option is enabled and configured separately. You can use different encryption methods or keys for each. This means that reading encrypted data in Amazon S3 doesn't automatically encrypt Athena query results in Amazon S3. The opposite is also true. Encrypting Athena query results in Amazon S3 doesn't encrypt the underlying dataset in Amazon S3.

Supported Amazon S3 Encryption Options

Athena supports the following encryption options for datasets and query results in Amazon S3.

Encryption Type Description Cross-Region Support
SSE-S3 Server side encryption (SSE) with an Amazon S3-managed key. Yes
SSE-KMS Server-side encryption (SSE) with a AWS Key Management Service customer managed key.
Note

With this encryption type, Athena does not require you to indicate that data is encrypted when you create a table.

Yes
CSE-KMS

Client-side encryption (CSE) with a AWS KMS customer managed key

No

For more information about AWS KMS encryption with Amazon S3, see What is AWS Key Management Service and How Amazon Simple Storage Service (Amazon S3) Uses AWS KMS in the AWS Key Management Service Developer Guide.

Unsupported Options

The following encryption options are not supported:

  • SSE with customer-provided keys (SSE-C).

  • Client-side encryption using a client-side master key.

  • Asymmetric keys.

To compare Amazon S3 encryption options, see Protecting Data Using Encryption in the Amazon Simple Storage Service Developer Guide.

Permissions to Encrypted Data in Amazon S3

Depending on the type of encryption you use in Amazon S3, you may need to add permissions, also known as "Allow" actions, to your policies used in Athena:

  • SSE-S3 – If you use SSE-S3 for encryption, Athena users require no additional permissions in their policies. It is sufficient to have the appropriate Amazon S3 permissions for the appropriate Amazon S3 location and for Athena actions. For more information about policies that allow appropriate Athena and Amazon S3 permissions, see IAM Policies for User Access and Amazon S3 Permissions.

  • AWS KMS – If you use AWS KMS for encryption, Athena users must be allowed to perform particular AWS KMS actions in addition to Athena and Amazon S3 permissions. You allow these actions by editing the key policy for the AWS KMS customer managed keys (CMKs) that are used to encrypt data in Amazon S3. The easiest way to do this is to use the IAM console to add key users to the appropriate AWS KMS key policies. For information about how to add a user to a AWS KMS key policy, see How to Modify a Key Policy in the AWS Key Management Service Developer Guide.

    Note

    Advanced key policy administrators can adjust key policies. kms:Decrypt is the minimum allowed action for an Athena user to work with an encrypted dataset. To work with encrypted query results, the minimum allowed actions are kms:GenerateDataKey and kms:Decrypt.

    When using Athena to query datasets in Amazon S3 with a large number of objects that are encrypted with AWS KMS, AWS KMS may throttle query results. This is more likely when there are a large number of small objects. Athena backs off retry requests, but a throttling error might still occur. In this case, you can increase your service quotas for AWS KMS. For more information, see Quotas in the AWS Key Management Service Developer Guide.

Permissions to Encrypted Metadata in the AWS Glue Data Catalog

If you encrypt metadata in the AWS Glue Data Catalog, you must add "kms:GenerateDataKey", "kms:Decrypt", and "kms:Encrypt" actions to the policies you use for accessing Athena. For information, see Access to Encrypted Metadata in the AWS Glue Data Catalog.