Encryption at rest
You can run queries in Amazon Athena on encrypted data in Amazon S3 in the same Region and across a limited number of Regions. You can also encrypt the query results in Amazon S3 and the data in the AWS Glue Data Catalog.
You can encrypt the following assets in Athena:
-
The results of all queries in Amazon S3, which Athena stores in a location known as the Amazon S3 results location. You can encrypt query results stored in Amazon S3 whether the underlying dataset is encrypted in Amazon S3 or not. For information, see Encrypt Athena query results stored in Amazon S3.
-
The data in the AWS Glue Data Catalog. For information, see Permissions to encrypted metadata in the AWS Glue Data Catalog.
Note
When you use Athena to read an encrypted table, Athena uses the encryption options specified for the table data, not the encryption option for the query results. If separate encryption methods or keys are configured for query results and table data, Athena reads the table data without using the encryption option and key used to encrypt or decrypt the query results.
However, if you use Athena to insert data into a table that has encrypted data,
Athena uses the encryption configuration that was specified for the query results to
encrypt the inserted data. For example, if you specify CSE_KMS
encryption for query results, Athena uses the same AWS KMS key ID that you used for
query results encryption to encrypt the inserted table data with
CSE_KMS
.
Topics
Supported Amazon S3 encryption options
Athena supports the following encryption options for datasets and query results in Amazon S3.
Encryption type | Description | Cross-Region support |
---|---|---|
SSE-S3 | Server side encryption (SSE) with an Amazon S3-managed key. | Yes |
SSE-KMS | Server-side encryption (SSE) with a AWS Key Management Service customer managed key. NoteWith this encryption type, Athena does not require you to indicate that data is encrypted when you create a table. |
Yes |
CSE-KMS |
Client-side encryption (CSE) with a AWS KMS customer managed key. In
Athena, this option requires that you use a |
No |
For more information about AWS KMS encryption with Amazon S3, see What is AWS Key Management Service and How Amazon Simple Storage Service (Amazon S3) uses AWS KMS in
the AWS Key Management Service Developer Guide. For more information about using SSE-KMS
or CSE-KMS with Athena, see Launch:
Amazon Athena adds support for querying encrypted data
Unsupported options
The following encryption options are not supported:
-
SSE with customer-provided keys (SSE-C).
-
Client-side encryption using a client-side managed key.
-
Asymmetric keys.
To compare Amazon S3 encryption options, see Protecting data using encryption in the Amazon Simple Storage Service User Guide.
Tools for client-side encryption
For client-side encryption, note that two tools are available:
-
Amazon S3 encryption client – This encrypts data for Amazon S3 only and is supported by Athena.
-
AWS Encryption SDK – The SDK can be used to encrypt data anywhere across AWS but is not directly supported by Athena.
These tools are not compatible, and data encrypted using one tool cannot be decrypted by the other. Athena only supports the Amazon S3 Encryption Client directly. If you use the SDK to encrypt your data, you can run queries from Athena, but the data is returned as encrypted text.
If you want to use Athena to query data that has been encrypted with the AWS Encryption SDK, you must download and decrypt your data, and then encrypt it again using the Amazon S3 Encryption Client.
Permissions to encrypted data in Amazon S3
Depending on the type of encryption you use in Amazon S3, you may need to add permissions, also known as "Allow" actions, to your policies used in Athena:
-
SSE-S3 – If you use SSE-S3 for encryption, Athena users require no additional permissions in their policies. It is sufficient to have the appropriate Amazon S3 permissions for the appropriate Amazon S3 location and for Athena actions. For more information about policies that allow appropriate Athena and Amazon S3 permissions, see AWS managed policies for Amazon Athena and Control access to Amazon S3 from Athena.
-
AWS KMS – If you use AWS KMS for encryption, Athena users must be allowed to perform particular AWS KMS actions in addition to Athena and Amazon S3 permissions. You allow these actions by editing the key policy for the AWS KMS customer managed CMKs that are used to encrypt data in Amazon S3. To add key users to the appropriate AWS KMS key policies, you can use the AWS KMS console at https://console.aws.amazon.com/kms
. For information about how to add a user to a AWS KMS key policy, see Allows key users to use the CMK in the AWS Key Management Service Developer Guide. Note
Advanced key policy administrators can adjust key policies.
kms:Decrypt
is the minimum allowed action for an Athena user to work with an encrypted dataset. To work with encrypted query results, the minimum allowed actions arekms:GenerateDataKey
andkms:Decrypt
.When using Athena to query datasets in Amazon S3 with a large number of objects that are encrypted with AWS KMS, AWS KMS may throttle query results. This is more likely when there are a large number of small objects. Athena backs off retry requests, but a throttling error might still occur. If you are working with a large number of encrypted objects and experience this issue, one option is to enable Amazon S3 bucket keys to reduce the number of calls to KMS. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket keys in the Amazon Simple Storage Service User Guide. Another option is to increase your service quotas for AWS KMS. For more information, see Quotas in the AWS Key Management Service Developer Guide.
For troubleshooting information about permissions when using Amazon S3 with Athena, see the Permissions section of the Troubleshoot issues in Athena topic.
Permissions to encrypted metadata in the AWS Glue Data Catalog
If you encrypt metadata in
the AWS Glue Data Catalog, you must add "kms:GenerateDataKey"
,
"kms:Decrypt"
, and "kms:Encrypt"
actions to the
policies you use for accessing Athena. For information, see Configure access from Athena to
encrypted metadata in the AWS Glue Data Catalog.