Encrypting Athena query results stored in Amazon S3 - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypting Athena query results stored in Amazon S3

You set up query result encryption using the Athena console or when using JDBC or ODBC. Workgroups allow you to enforce the encryption of query results.

In the console, you can configure the setting for encryption of query results in two ways:

  • Client-side settings – When you use Settings in the console or the API operations to indicate that you want to encrypt query results, this is known as using client-side settings. Client-side settings include query results location and encryption. If you specify them, they are used, unless they are overridden by the workgroup settings.

  • Workgroup settings – When you create or edit a workgroup and select the Override client-side settings field, then all queries that run in this workgroup use the workgroup encryption and query results location settings. For more information, see Workgroup settings override client-side settings.

To encrypt query results stored in Amazon S3 using the console

If your workgroup has the Override client-side settings field selected, then all queries in the workgroup use the workgroup settings. The encryption configuration and the query results location specified on the Settings tab in the Athena console, by API operations and by JDBC and ODBC drivers are not used. For more information, see Workgroup settings override client-side settings.

  1. In the Athena console, choose Settings.

    The Settings tab of the Athena query editor.
  2. Choose Manage.

  3. For Location of query result, enter or choose an Amazon S3 path. This is the Amazon S3 location where query results are stored.

  4. Choose Encrypt query results.

    The Encrypt query results option on the Manage settings page of the Athena console.
  5. For Encryption type, choose CSE-KMS, SSE-KMS, or SSE-S3. Of these three, CSE-KMS offers the highest level of encryption and SSE-S3 the lowest.

  6. If you chose SSE-KMS or CSE-KMS, specify an Amazon KMS key.

    • For Choose an Amazon KMS key, if your account has access to an existing Amazon KMS customer managed key (CMK), choose its alias or enter an Amazon KMS key ARN.

    • If your account does not have access to an existing customer managed key (CMK), choose Create an Amazon KMS key, and then open the Amazon KMS console. For more information, see Creating keys in the Amazon Key Management Service Developer Guide.


      Athena supports only symmetric keys for reading and writing data.

  7. Return to the Athena console and choose the key that you created by alias or ARN.

  8. Choose Save.

Encrypting Athena query results when using JDBC or ODBC

If you connect using the JDBC or ODBC driver, you configure driver options to specify the type of encryption to use and the Amazon S3 staging directory location. To configure the JDBC or ODBC driver to encrypt your query results using any of the encryption protocols that Athena supports, see Connecting to Amazon Athena with ODBC and JDBC drivers.