Internetwork traffic privacy

Traffic is protected both between Athena and on-premises applications and between Athena and Amazon S3. Traffic between Athena and other services, such as Amazon Glue and Amazon Key Management Service, uses HTTPS by default.

For traffic between Athena and on-premises clients and applications, query results that stream to JDBC or ODBC clients are encrypted using Transport Layer Security (TLS).

You can use one of the connectivity options between your private network and Amazon:
- A Site-to-Site VPN Amazon VPN connection. For more information, see What is Site-to-Site VPN Amazon VPN in the Amazon Site-to-Site VPN User Guide.
- An Amazon Direct Connect connection. For more information, see What is Amazon Direct Connect in the Amazon Direct Connect User Guide.
For traffic between Athena and Amazon S3 buckets, Transport Layer Security (TLS) encrypts objects in-transit between Athena and Amazon S3, and between Athena and customer applications accessing it, you should allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition on Amazon S3 bucket IAM policies. Although Athena currently uses the public endpoint to access data in Amazon S3 buckets, this does not mean that the data traverses the public internet. All traffic between Athena and Amazon S3 is routed over the Amazon network and is encrypted using TLS.
Compliance programs – Amazon Athena complies with multiple Amazon compliance programs, including SOC, PCI, FedRAMP, and others. For more information, see Amazon Web Services in scope by compliance program.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Key management

Identity and access management