# Key management Amazon Athena supports Amazon Key Management Service (Amazon KMS) to encrypt datasets in Amazon S3 and Athena query results. Amazon KMS uses customer managed keys to encrypt your Amazon S3 objects and relies on [envelope encryption](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#enveloping). In Amazon KMS, you can perform the following actions: + [Create keys](https://docs.amazonaws.cn/kms/latest/developerguide/create-keys.html) + [Import your own key material for new customer managed keys](https://docs.amazonaws.cn/kms/latest/developerguide/importing-keys.html) **Note** Athena supports only symmetric keys for reading and writing data. For more information, see [What is Amazon Key Management Service](https://docs.amazonaws.cn/kms/latest/developerguide/overview.html) in the *Amazon Key Management Service Developer Guide*, and [How Amazon Simple Storage Service uses Amazon KMS](https://docs.amazonaws.cn/kms/latest/developerguide/services-s3.html). To view the keys in your account that Amazon creates and manages for you, in the navigation pane, choose **Amazon managed keys**. If you are uploading or accessing objects encrypted by SSE-KMS, use Amazon Signature Version 4 for added security. For more information, see [Specifying the signature version in request authentication](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingAWSSDK.html#specify-signature-version) in the *Amazon Simple Storage Service User Guide*. If your Athena workloads encrypt a large amount of data, you can use Amazon S3 Bucket Keys to reduce costs. For more information, see [Reducing the cost of SSE-KMS with Amazon S3 Bucket keys](https://docs.amazonaws.cn/AmazonS3/latest/userguide/bucket-key.html) in the *Amazon Simple Storage Service User Guide*.