Amazon Athena
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Encryption at Rest

You can run queries in Amazon Athena on encrypted data in Amazon S3 in the same Region. You can also encrypt the query results in Amazon S3 and the data in the AWS Glue Data Catalog.

You can encrypt the following assets in Athena:

Supported Amazon S3 Encryption Options

Athena supports the following Amazon S3 encryption options, both for encrypted datasets in Amazon S3 in the same Region and for encrypted query results:

  • Server side encryption (SSE) with an Amazon S3-managed key (SSE-S3)

  • Server-side encryption (SSE) with a AWS Key Management Service customer managed key (SSE-KMS).

  • Client-side encryption (CSE) with a AWS KMS customer managed key (CSE-KMS)


With SSE-KMS, Athena does not require you to indicate that data is encrypted when creating a table.

For more information about AWS KMS encryption with Amazon S3, see What is AWS Key Management Service and How Amazon Simple Storage Service (Amazon S3) Uses AWS KMS in the AWS Key Management Service Developer Guide.

Athena does not support SSE with customer-provided keys (SSE-C), nor does it support client-side encryption using a client-side master key. To compare Amazon S3 encryption options, see Protecting Data Using Encryption in the Amazon Simple Storage Service Developer Guide.

Athena does not support running queries from one Region on encrypted data stored in Amazon S3 in another Region.


The setup for querying an encrypted dataset in Amazon S3 and the options in Athena to encrypt query results are independent. Each option is enabled and configured separately. You can use different encryption methods or keys for each. This means that reading encrypted data in Amazon S3 doesn't automatically encrypt Athena query results in Amazon S3. The opposite is also true. Encrypting Athena query results in Amazon S3 doesn't encrypt the underlying dataset in Amazon S3.

Regardless of whether you use options for encrypting data at rest in Amazon S3, transport layer security (TLS) encrypts objects in-transit between Athena resources and between Athena and Amazon S3. Query results that stream to JDBC or ODBC clients are encrypted using TLS.

Permissions to Encrypted Data in Amazon S3

Depending on the type of encryption you use in Amazon S3, you may need to add permissions, also known as "Allow" actions, to your policies used in Athena:

  • SSE-S3 – If you use SSE-S3 for encryption, Athena users require no additional permissions in their policies. It is sufficient to have the appropriate Amazon S3 permissions for the appropriate Amazon S3 location and for Athena actions. For more information about policies that allow appropriate Athena and Amazon S3 permissions, see IAM Policies for User Access and Amazon S3 Permissions.

  • AWS KMS – If you use AWS KMS for encryption, Athena users must be allowed to perform particular AWS KMS actions in addition to Athena and Amazon S3 permissions. You allow these actions by editing the key policy for the AWS KMS customer managed keys (CMKs) that are used to encrypt data in Amazon S3. The easiest way to do this is to use the IAM console to add key users to the appropriate AWS KMS key policies. For information about how to add a user to a AWS KMS key policy, see How to Modify a Key Policy in the AWS Key Management Service Developer Guide.


    Advanced key policy administrators can adjust key policies. kms:Decrypt is the minimum allowed action for an Athena user to work with an encrypted dataset. To work with encrypted query results, the minimum allowed actions are kms:GenerateDataKey and kms:Decrypt.

    When using Athena to query datasets in Amazon S3 with a large number of objects that are encrypted with AWS KMS, AWS KMS may throttle query results. This is more likely when there are a large number of small objects. Athena backs off retry requests, but a throttling error might still occur. In this case, visit the AWS Support Center and create a case to increase your limit. For more information about limits and AWS KMS throttling, see Limits in the AWS Key Management Service Developer Guide.

Encrypting Query Results Stored in Amazon S3

You set up query result encryption using the Athena console. Workgroups allow you to enforce the encryption of query results.

If you connect using the JDBC or ODBC driver, you configure driver options to specify the type of encryption to use and the Amazon S3 staging directory location. To configure the JDBC or ODBC driver to encrypt your query results using any of the encryption protocols that Athena supports, see Connecting to Amazon Athena with ODBC and JDBC Drivers.

You can configure the setting for encryption of query results in two ways:

  • Client-side settings – When you use Settings in the console or the API operations to indicate that you want to encrypt query results, this is known as using client-side settings. Client-side settings include query results location and encryption. If you specify them, they are used, unless they are overridden by the workgroup settings.

  • Workgroup settings – When you create or edit a workgroup and select the Override client-side settings field, then all queries that run in this workgroup use the workgroup settings. For more information, see Workgroup Settings Override Client-Side Settings. Workgroup settings include query results location and encryption.

To encrypt query results stored in Amazon S3 using the console


If your workgroup has the Override client-side settings field selected, then the queries use the workgroup settings. The encryption configuration and the query results location listed in Settings, the API operations, and the drivers are not used. For more information, see Workgroup Settings Override Client-Side Settings.

  1. In the Athena console, choose Settings.

  2. For Query result location, enter a custom value or leave the default. This is the Amazon S3 staging directory where query results are stored.

  3. Choose Encrypt query results.

  4. For Encryption type, choose CSE-KMS, SSE-KMS, or SSE-S3.

  5. If you chose SSE-KMS or CSE-KMS, specify the Encryption key.

    • If your account has access to an existing AWS KMS customer managed key (CMK), choose its alias or choose Enter a KMS key ARN and then enter an ARN.

    • If your account does not have access to an existing AWS KMS customer managed key (CMK), choose Create KMS key, and then open the AWS KMS console. In the navigation pane, choose AWS managed keys. For more information, see Creating Keys in the AWS Key Management Service Developer Guide.

  6. Return to the Athena console to specify the key by alias or ARN as described in the previous step.

  7. Choose Save.

Creating Tables Based on Encrypted Datasets in Amazon S3

When you create a table, indicate to Athena that a dataset is encrypted in Amazon S3. This is not required when using SSE-KMS. For both SSE-S3 and AWS KMS encryption, Athena determines the proper materials to use to decrypt the dataset and create the table, so you don't need to provide key information.

Users that run queries, including the user who creates the table, must have the appropriate permissions as described earlier in this topic.


If you use Amazon EMR along with EMRFS to upload encrypted Parquet files, you must disable multipart uploads by setting fs.s3n.multipart.uploads.enabled to false. If you don't do this, Athena is unable to determine the Parquet file length and a HIVE_CANNOT_OPEN_SPLIT error occurs. For more information, see Configure Multipart Upload for Amazon S3 in the Amazon EMR Management Guide.

Indicate that the dataset is encrypted in Amazon S3 in one of the following ways. This step is not required if SSE-KMS is used.

  • Use the CREATE TABLE statement with a TBLPROPERTIES clause that specifies 'has_encrypted_data'='true'.

  • Use the JDBC driver and set the TBLPROPERTIES value as shown in the previous example, when you execute CREATE TABLE using statement.executeQuery().

  • Use the Add table wizard in the Athena console, and then choose Encrypted data set when you specify a value for Location of input data set.

Tables based on encrypted data in Amazon S3 appear in the Database list with an encryption icon.

Permissions to Encrypted Metadata in the AWS Glue Data Catalog

If you encrypt metadata in the AWS Glue Data Catalog, you must add "kms:GenerateDataKey", "kms:Decrypt", and "kms:Encrypt" actions to the policies you use for accessing Athena. For information, see Access to Encrypted Metadata in the AWS Glue Data Catalog.