Workgroup settings - Amazon Athena

Workgroup settings

Each workgroup has the following settings:

  • A unique name. It can contain from 1 to 128 characters, including alphanumeric characters, dashes, and underscores. After you create a workgroup, you cannot change its name. You can, however, create a new workgroup with the same settings and a different name.

  • Settings that apply to all queries running in the workgroup. They include:

    • A location in Amazon S3 for storing query results for all queries that run in this workgroup. This location must exist before you specify it for the workgroup when you create it. For information about creating an Amazon S3 bucket, see Create a bucket.

    • Bucket owner control of query results – Whether the owner of the Amazon S3 query results bucket has full control over new objects that are written to the bucket. For example, if your query result location is owned by another account, you can grant ownership and full control over your query results to the other account.

    • Expected bucket owner – The ID of the AWS account that you expect to be the owner of the query results bucket. This is an added security measure. If the account ID of the bucket owner does not match the ID that you specify here, attempts to output to the bucket will fail. For in-depth information, see Verifying bucket ownership with bucket owner condition in the Amazon S3 User Guide..


      The expected bucket owner setting applies only to the Amazon S3 output location that you specify for Athena query results. It does not apply to other Amazon S3 locations like data source locations in external Amazon S3 buckets, CTAS and INSERT INTO destination table locations, UNLOAD statement output locations, operations to spill buckets for federated queries, or SELECT queries run against a table in another account.

    • An encryption setting, if you use encryption for all workgroup queries. You can encrypt only all queries in a workgroup, not just some of them. It is best to create separate workgroups to contain queries that are either encrypted or not encrypted.

In addition, your workgroup can override client-side settings. Before the release of workgroups, you could specify results location and encryption options as parameters in the JDBC or ODBC driver, or in the Properties tab in the Athena console. These settings could also be specified directly via the API operations. These settings are known as "client-side settings". With workgroups, you can configure these settings at the workgroup level to control the options available at the client level. Enforcing workgroup-level settings also saves users from having to configure their client-side settings individually. If you select the Override Client-Side Settings option for the workgroup, queries use the workgroup settings and ignore the client-side settings.

If Override Client-Side Settings is selected, the user is notified on the console that their settings have changed. If workgroup settings are enforced this way, users can omit the corresponding client-side settings. Then, queries that run in the console use the workgroup's settings even if client-side settings are present. Also, when queries in the workgroup are run through the AWS CLI, API operations, or JDBC or ODBC drivers, client-side settings like query results location and encryption are overridden by workgroup settings. To see the settings for the workgroup, view the workgroup's details.

You can also set query limits for queries in workgroups.