AWS Athena Query Results are not encrypted with the Customer Master Key (CMK)


AWS Athena allows you to run ad-hoc queries on data stored in Amazon S3. While Athena supports the default encryption method for query results stored in S3, it's crucial from a security standpoint to encrypt sensitive query results with a Customer Master Key (CMK) managed through AWS Key Management Service (KMS) for enhanced confidentiality and control over data access.


1. Encrypt Athena Query Results with CMK:

AWS Management Console:
  • Navigate to the Athena service.
  • In the Athena console, select Settings.
  • Under Query result location, you will see the S3 bucket location where the results are stored.
  • Navigate to the specified S3 bucket.
  • Under Properties, select Default encryption.
  • Choose Enable and select AWS-KMS as the encryption method. Then, select your CMK from the available options.

You can set CMK encryption for an S3 bucket using the following command:

aws s3api put-bucket-encryption \
    --bucket <BUCKET-NAME> \
    --server-side-encryption-configuration '{
        "Rules": [
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "aws:kms",
                    "KMSMasterKeyID": "<YOUR-KMS-KEY-ID>"

Replace <BUCKET-NAME> with the name of your S3 bucket and <YOUR-KMS-KEY-ID> with your CMK ID.

resource "aws_s3_bucket" "athena_results" {
  bucket = "<BUCKET-NAME>"
  acl    = "private"

  # ... other configurations ...

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm     = "aws:kms"
        kms_master_key_id = aws_kms_key.example.arn

resource "aws_kms_key" "example" {
  description = "KMS key for Athena Query Results"
  // other configurations...

Replace <BUCKET-NAME> with the name of your S3 bucket.


For increased security and better control over your data, always ensure that sensitive query results stored by AWS Athena in S3 are encrypted with a CMK. Using a CMK offers granular permissions, enhanced auditing, and control over the cryptographic operations on the encrypted data.