Key management

Amazon Athena supports AWS Key Management Service (AWS KMS) to encrypt datasets in Amazon S3 and Athena query results. AWS KMS uses customer managed keys (CMKs) to encrypt your Amazon S3 objects and relies on envelope encryption.

In AWS KMS, you can perform the following actions:

Note

Athena supports only symmetric keys for reading and writing data.

For more information, see What is AWS Key Management Service in the AWS Key Management Service Developer Guide, and How Amazon Simple Storage Service uses AWS KMS. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys.

If you are uploading or accessing objects encrypted by SSE-KMS, use AWS Signature Version 4 for added security. For more information, see Specifying the signature version in request authentication in the Amazon Simple Storage Service User Guide.

If your Athena workloads encrypt a large amount of data, you can use Amazon S3 Bucket Keys to reduce costs. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket keys in the Amazon Simple Storage Service User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Encryption in transit

Internetwork traffic privacy