You can specify CSE-KMS encryption in two ways – during the workgroup query results encryption configuration and in the client-side settings. For more information, see Encrypt Athena query results stored in Amazon S3. During the migration process, it's important to audit your existing workflows that read and write CSE-KMS data, identify workgroups where CSE-KMS is configured, and locate instances where CSE-KMS is set through client-side parameters.
Update workgroup query results encryption settings
To update encryption settings in the Athena console
-
Open the Athena console at https://console.aws.amazon.com/athena/
. -
In the Athena console navigation pane, choose Workgroups.
On the Workgroups page, select the button for the workgroup that you want to edit.
-
Choose Actions, Edit.
Open Query result configuration and choose Encrypt query results.
For Encryption type section, choose SSE_KMS encryption option.
-
Enter your KMS key under Choose a different AWS KMS key (advanced).
-
Choose Save changes. The updated workgroup appears in the list on the Workgroups page.
Update
client-side query results encryption settings
To update your client-side settings for query results encryption from CSE-KMS to SSE-KMS, see Encrypt Athena query results stored in Amazon S3.
Note
After you update the workgroup or client-side settings, any new data that you insert by write queries uses the SSE-KMS encryption instead of CSE-KMS. This is because query results encryption configurations also apply to newly inserted table data. Athena query result, metadata, and manifest files are also encrypted with SSE-KMS.
-
Athena can still read tables with the
has_encrypted_datatable property even when there are a mix of CSE-KMS encrypted and SSE-S3/SSE-KMS objects.
