Access from Athena to encrypted metadata in the Amazon Glue Data Catalog - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access from Athena to encrypted metadata in the Amazon Glue Data Catalog

If you use the Amazon Glue Data Catalog with Amazon Athena, you can enable encryption in the Amazon Glue Data Catalog using the Amazon Glue console or the API. For information, see Encrypting your data catalog in the Amazon Glue Developer Guide.

If the Amazon Glue Data Catalog is encrypted, you must add the following actions to all policies that are used to access Athena:

{
 "Version": "2012-10-17",
 "Statement": {
 "Effect": "Allow",
     "Action": [
           "kms:GenerateDataKey",
           "kms:Decrypt",  
           "kms:Encrypt"
      ],
     "Resource": "(arn of the key used to encrypt the catalog)"
   }
}

Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.