Key management - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Key management

Amazon Athena supports Amazon Key Management Service (Amazon KMS) to encrypt datasets in Amazon S3 and Athena query results. Amazon KMS uses customer managed keys (CMKs) to encrypt your Amazon S3 objects and relies on envelope encryption.

In Amazon KMS, you can perform the following actions:


Athena supports only symmetric keys for reading and writing data.

For more information, see What is Amazon Key Management Service in the Amazon Key Management Service Developer Guide, and How Amazon Simple Storage Service uses Amazon KMS. To view the keys in your account that Amazon creates and manages for you, in the navigation pane, choose Amazon managed keys.

If you are uploading or accessing objects encrypted by SSE-KMS, use Amazon Signature Version 4 for added security. For more information, see Specifying the signature version in request authentication in the Amazon Simple Storage Service User Guide.

If your Athena workloads encrypt a large amount of data, you can use Amazon S3 Bucket Keys to reduce costs. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket keys in the Amazon Simple Storage Service User Guide.