Query data in a collaboration - AWS Clean Rooms

Query data in a collaboration

Note

You can only run queries if the member who is responsible to pay for query compute costs has joined the collaboration as an active member.

As the member who can query, you can do one of the following:

  • Build a SQL query manually using the SQL code editor.

  • Use the Analysis builder UI to build a query without having to write SQL code.

  • Use an approved analysis template.

When the member who can query runs a SQL query on the tables in the collaboration, AWS Clean Rooms assumes the relevant roles to access the tables on their behalf. AWS Clean Rooms applies the analysis rules as necessary to the input query and its output.

The analysis rules and output constraints are enforced automatically. AWS Clean Rooms only returns the results that comply with the defined analysis rules.

For queries on encrypted data, the member who can receive results receives the encrypted output from AWS Clean Rooms that must be decrypted.

AWS Clean Rooms supports SQL queries that can be different than other query engines. For specifications, see the AWS Clean Rooms SQL Reference. If you want to run queries on data tables protected with differential privacy, you should ensure that your queries are compatible with the general-purpose query structure of AWS Clean Rooms Differential Privacy.

Note

When using Cryptographic Computing for Clean Rooms, not all SQL operations generate valid results. For example, you can conduct a COUNT on an encrypted column but conducting a SUM on encrypted numbers leads to errors. In addition, queries might also yield incorrect results. For example, queries that SUM sealed columns produce errors. However, a GROUP BY query over sealed columns seems to succeed but produces different groups than those produced by a GROUP BY query over the cleartext.

The member paying for query compute costs is charged for the queries run in the collaboration.

The following topics explain how to query data in a collaboration using the AWS Clean Rooms console.

Topics

For information about how to query data or view queries by calling the AWS Clean Rooms StartProtectedQuery API operation directly or by using the AWS SDKs, see the AWS Clean Rooms API Reference.

For information about query logging, see Query logging in AWS Clean Rooms.

Note

If you run a query on encrypted data tables, the results from the encrypted columns are encrypted.

For information about receiving query results, see Receiving and using query results.