Key management - Amazon Athena

Key management

Amazon Athena supports AWS Key Management Service (AWS KMS) to encrypt datasets in Amazon S3 and Athena query results. AWS KMS uses customer managed keys (CMKs) to encrypt your Amazon S3 objects and relies on envelope encryption.

In AWS KMS, you can perform the following actions:


Athena supports only symmetric keys for reading and writing data.

For more information, see What is AWS Key Management Service in the AWS Key Management Service Developer Guide, and How Amazon Simple Storage Service uses AWS KMS. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys.

If you are uploading or accessing objects encrypted by SSE-KMS, use AWS Signature Version 4 for added security. For more information, see Specifying the signature version in request authentication in the Amazon Simple Storage Service User Guide.

If your Athena workloads encrypt a large amount of data, you can use Amazon S3 Bucket Keys to reduce costs. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket keys in the Amazon Simple Storage Service User Guide.