# Encryption at rest You can run queries in Amazon Athena on encrypted data in Amazon S3 in the same Region and across a limited number of Regions. You can also encrypt the query results in Amazon S3 and the data in the AWS Glue Data Catalog. You can encrypt the following assets in Athena: + The results of all queries in Amazon S3, which Athena stores in a location known as the Amazon S3 results location. You can encrypt query results stored in Amazon S3 whether the underlying dataset is encrypted in Amazon S3 or not. For information, see [Encrypt Athena query results stored in Amazon S3](encrypting-query-results-stored-in-s3.md). + The data in the AWS Glue Data Catalog. For information, see [Permissions to encrypted metadata in the AWS Glue Data Catalog](#glue-encryption). **Note** When you use Athena to read an encrypted table, Athena uses the encryption options specified for the table data, not the encryption option for the query results. If separate encryption methods or keys are configured for query results and table data, Athena reads the table data without using the encryption option and key used to encrypt or decrypt the query results. However, if you use Athena to insert data into a table that has encrypted data, Athena uses the encryption configuration that was specified for the query results to encrypt the inserted data. For example, if you specify `CSE_KMS` encryption for query results, Athena uses the same AWS KMS key ID that you used for query results encryption to encrypt the inserted table data with `CSE_KMS`. **Topics** + [ ## Supported Amazon S3 encryption options ](#encryption-options-S3-and-Athena) + [ ## Permissions to encrypted data in Amazon S3 ](#permissions-for-encrypting-and-decrypting-data) + [ ## Permissions to encrypted metadata in the AWS Glue Data Catalog ](#glue-encryption) + [ # Migrate from CSE-KMS to SSE-KMS ](migrating-csekms-ssekms.md) + [ # Encrypt Athena query results stored in Amazon S3 ](encrypting-query-results-stored-in-s3.md) + [ # Create tables based on encrypted datasets in Amazon S3 ](creating-tables-based-on-encrypted-datasets-in-s3.md) ## Supported Amazon S3 encryption options Athena supports the following encryption options for datasets and query results in Amazon S3. | Encryption type | Description | Cross-Region support | | --- | --- | --- | | [SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) | Server side encryption (SSE) with an Amazon S3-managed key. | Yes | | [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) (Recommended) | Server-side encryption (SSE) with an AWS Key Management Service customer managed key. | Yes | | [CSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html#client-side-encryption-kms-managed-master-key-intro) | Client-side encryption (CSE) with a AWS KMS customer managed key. In Athena, this option requires that you use a `CREATE TABLE` statement with a `TBLPROPERTIES` clause that specifies `'has_encrypted_data'='true'` or `'encryption_option'='CSE_KMS'` with `'kms_key'='kms_key_arn'`. For more information, see [Create tables based on encrypted datasets in Amazon S3](creating-tables-based-on-encrypted-datasets-in-s3.md). | No | For more information about AWS KMS encryption with Amazon S3, see [What is AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) and [How Amazon Simple Storage Service (Amazon S3) uses AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html) in the *AWS Key Management Service Developer Guide*. For more information about using SSE-KMS or CSE-KMS with Athena, see [Launch: Amazon Athena adds support for querying encrypted data](https://aws.amazon.com/blogs/aws/launch-amazon-athena-adds-support-for-querying-encrypted-data/) from the *AWS Big Data Blog*. ### Encryption recommendations When you encrypt and decrypt table data and query results with customer-managed KMS keys, we recommend that you use SSE-KMS encryption over SSE-S3 or CSE-KMS encryption methods. SSE-KMS provides a balance of control, simplicity, and performance that makes it a recommended method when you use managed KMS keys for data encryption. **Benefits of SSE-KMS over SSE-S3** + SSE-KMS allows you to specify and manage your own keys, providing greater control. You can define key policies, oversee key life cycles, and monitor key usage. **Benefits of SSE-KMS over CSE-KMS** + SSE-KMS eliminates the need for additional infrastructure to encrypt and decrypt data, unlike CSE-KMS which requires ongoing maintenance of an S3 encryption client. + CSE-KMS might face compatibility issues between newer and older S3 encryption clients due to evolving encryption algorithms, a problem SSE-KMS avoids. + SSE-KMS makes fewer API calls to the KMS service for key retrieval during the encryption and decryption processes, resulting in better performance compared to CSE-KMS. ### Unsupported options The following encryption options aren't supported: + SSE with customer-provided keys (SSE-C). + Client-side encryption using a client-side managed key. + Asymmetric keys. To compare Amazon S3 encryption options, see [Protecting data using encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) in the *Amazon Simple Storage Service User Guide*. ### Tools for client-side encryption For client-side encryption, note that two tools are available: + [Amazon S3 encryption client](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3EncryptionClient.html) – This encrypts data for Amazon S3 only and is supported by Athena. + [AWS Encryption SDK](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html) – The SDK can be used to encrypt data anywhere across AWS but is not directly supported by Athena. These tools aren't compatible, and data encrypted using one tool cannot be decrypted by the other. Athena only supports the Amazon S3 Encryption Client directly. If you use the SDK to encrypt your data, you can run queries from Athena, but the data is returned as encrypted text. If you want to use Athena to query data that has been encrypted with the AWS Encryption SDK, you must download and decrypt your data, and then encrypt it again using the Amazon S3 Encryption Client. ## Permissions to encrypted data in Amazon S3 Depending on the type of encryption you use in Amazon S3, you might need to add permissions, also known as "Allow" actions, to your policies used in Athena: + **SSE-S3** – If you use SSE-S3 for encryption, Athena users require no additional permissions in their policies. It is sufficient to have the appropriate Amazon S3 permissions for the appropriate Amazon S3 location and for Athena actions. For more information about policies that allow appropriate Athena and Amazon S3 permissions, see [AWS managed policies for Amazon Athena](security-iam-awsmanpol.md) and [Control access to Amazon S3 from Athena](s3-permissions.md). + **AWS KMS** – If you use AWS KMS for encryption, Athena users must be allowed to perform particular AWS KMS actions in addition to Athena and Amazon S3 permissions. You allow these actions by editing the key policy for the customer managed key that are used to encrypt data in Amazon S3. To add key users to the appropriate AWS KMS key policies, you can use the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). For information about how to add a user to a AWS KMS key policy, see [Allows key users to use the customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-users) in the *AWS Key Management Service Developer Guide*. **Note** Advanced key policy administrators can adjust key policies. `kms:Decrypt` is the minimum allowed action for an Athena user to work with an encrypted dataset. To work with encrypted query results, the minimum allowed actions are `kms:GenerateDataKey` and `kms:Decrypt`. When using Athena to query datasets in Amazon S3 with a large number of objects that are encrypted with AWS KMS, AWS KMS might throttle query results. This is more likely when there are a large number of small objects. Athena backs off retry requests, but a throttling error might still occur. If you are working with a large number of encrypted objects and experience this issue, one option is to enable Amazon S3 bucket keys to reduce the number of calls to KMS. For more information, see [Reducing the cost of SSE-KMS with Amazon S3 Bucket keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html) in the *Amazon Simple Storage Service User Guide*. Another option is to increase your service quotas for AWS KMS. For more information, see [Quotas](https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#requests-per-second) in the *AWS Key Management Service Developer Guide*. For troubleshooting information about permissions when using Amazon S3 with Athena, see the [Permissions](troubleshooting-athena.md#troubleshooting-athena-permissions) section of the [Troubleshoot issues in Athena](troubleshooting-athena.md) topic. ## Permissions to encrypted metadata in the AWS Glue Data Catalog If you [encrypt metadata in the AWS Glue Data Catalog](https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html), you must add `"kms:GenerateDataKey"`, `"kms:Decrypt"`, and `"kms:Encrypt"` actions to the policies you use for accessing Athena. For information, see [Configure access from Athena to encrypted metadata in the AWS Glue Data Catalog](access-encrypted-data-glue-data-catalog.md). # Migrate from CSE-KMS to SSE-KMS You can specify CSE-KMS encryption in two ways – during the workgroup query results encryption configuration and in the client-side settings. For more information, see [Encrypt Athena query results stored in Amazon S3](encrypting-query-results-stored-in-s3.md). During the migration process, it's important to audit your existing workflows that read and write CSE-KMS data, identify workgroups where CSE-KMS is configured, and locate instances where CSE-KMS is set through client-side parameters. ## Update workgroup query results encryption settings ------ #### [ Console ] **To update encryption settings in the Athena console** 1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/). 1. In the Athena console navigation pane, choose **Workgroups**. 1. On the **Workgroups** page, select the button for the workgroup that you want to edit. 1. Choose **Actions**, **Edit**. 1. Open **Query result configuration** and choose **Encrypt query results**. 1. For **Encryption type** section, choose **SSE\$1KMS** encryption option. 1. Enter your KMS key under **Choose a different AWS KMS key (advanced)**. 1. Choose **Save changes**. The updated workgroup appears in the list on the **Workgroups** page. ------ #### [ CLI ] Run the following command to update your query results encryption configuration to SSE-KMS in your workgroup. ``` aws athena update-work-group \ --work-group "my-workgroup" \ --configuration-updates '{ "ResultConfigurationUpdates": { "EncryptionConfiguration": { "EncryptionOption": "SSE_KMS", "KmsKey": "" } } }' ``` ------ ## Update client-side query results encryption settings ------ #### [ Console ] To update your client-side settings for query results encryption from CSE-KMS to SSE-KMS, see [Encrypt Athena query results stored in Amazon S3](encrypting-query-results-stored-in-s3.md). ------ #### [ CLI ] You can only specify query results encryption configuration in client-side settings with the `start-query-execution` command. If you run this CLI command and override the query results encryption configuration that you specified in your workgroup with CSE-KMS, change the command to encrypt query results using `SSE_KMS` as following. ``` aws athena start-query-execution \ --query-string "SELECT * FROM ;" \ --query-execution-context "Database=,Catalog=" \ --result-configuration '{ "EncryptionConfiguration": { "EncryptionOption": "SSE_KMS", "KmsKey": "" } }' \ --work-group "" ``` ------ **Note** After you update the workgroup or client-side settings, any new data that you insert by write queries uses the SSE-KMS encryption instead of CSE-KMS. This is because query results encryption configurations also apply to newly inserted table data. Athena query result, metadata, and manifest files are also encrypted with SSE-KMS. Athena can still read tables with the `has_encrypted_data` table property even when there are a mix of CSE-KMS encrypted and SSE-S3/SSE-KMS objects. # Convert CSE-KMS table data to SSE-KMS If your workflows currently use CSE-KMS for table data encryption, transition to SSE-KMS with the following steps. ## Prerequisite If you still write data using a CSE-KMS workgroup or client-side settings, follow the steps in [Migrate from CSE-KMS to SSE-KMS](migrating-csekms-ssekms.md) to update it to SSE-KMS. This prevents new CSE-KMS encrypted data from being added during the migration process from any other workflows that might write to the tables. ## Data migration 1. Check if the table has the `has_encrypted_data` property set to `true`. This property specifies that the table might contain CSE-KMS encrypted data. However, it's important to note that this property could be present even on tables without any actual CSE-KMS encrypted data. ------ #### [ Console ] 1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/). 1. Choose **Launch query editor**. 1. On the left side of the editor, under **Database**, choose the database that you want to query. 1. In the Query editor, run the following query to see the value set to the `has_encrypted_data table` property. ``` SHOW TBLPROPERTIES ('has_encrypted_data'); ``` ------ #### [ CLI ] Start Athena query that shows the value of the `has_encrypted_data` property on the table as shown in the following example. ``` aws athena start-query-execution \ --query-string "SHOW TBLPROPERTIES ('has_encrypted_data');" \ --work-group "" ``` Fetch query results to check the value of `has_encrypted_data` table property for the table as shown in the following example. ``` aws athena get-query-results --query-execution-id ``` ------ 1. For each CSE-KMS encrypted object in the table. 1. Download the object from S3 using the S3 encryption client and decrypt it. Here is an example with AWS Java SDK V2. **Imports** ``` import software.amazon.awssdk.core.ResponseInputStream; import software.amazon.awssdk.services.s3.model.GetObjectRequest; import software.amazon.awssdk.services.s3.model.GetObjectResponse; import software.amazon.encryption.s3.S3EncryptionClient; import software.amazon.encryption.s3.materials.Keyring; import software.amazon.encryption.s3.materials.KmsDiscoveryKeyring; ``` Code ``` final Keyring kmsDiscoveryKeyRing = KmsDiscoveryKeyring.builder() .enableLegacyWrappingAlgorithms(true) .build(); final S3EncryptionClient s3EncryptionClient = S3EncryptionClient.builder() .enableLegacyUnauthenticatedModes(true) .keyring(kmsDiscoveryKeyRing) .build(); GetObjectRequest getObjectRequest = GetObjectRequest.builder() .bucket("amzn-s3-demo-bucket") .key("") .build(); ResponseInputStream s3Object = s3EncryptionClient.getObject(getObjectRequest); ``` 1. Upload the object to S3 with the same name and SSE-KMS encryption. Here is an example with AWS Java SDK V2. **Imports** ``` import software.amazon.awssdk.core.ResponseInputStream; import software.amazon.awssdk.core.sync.RequestBody; import software.amazon.awssdk.services.s3.S3Client; import software.amazon.awssdk.services.s3.model.PutObjectRequest; import software.amazon.awssdk.services.s3.model.ServerSideEncryption; ``` **Code** ``` final S3Client s3Client = S3Client.builder() .build(); PutObjectRequest putObjectRequest = PutObjectRequest.builder() .bucket("amzn-s3-demo-bucket") .key("") .serverSideEncryption(ServerSideEncryption.AWS_KMS) .ssekmsKeyId("") .build(); s3Client.putObject(putObjectRequest, RequestBody.fromBytes(s3Object.readAllBytes())); ``` ## Post migration After successfully re-encrypting all CSE-KMS files in the table, perform the following steps. 1. Remove the `has_encrypted_data` property from the table. ------ #### [ Console ] 1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/). 1. Choose **Launch query editor**. 1. On the left side of the editor, under **Database**, choose the database that you want to query. 1. In the Query editor, run the following query for your table. ``` ALTER TABLE . UNSET TBLPROPERTIES ('has_encrypted_data') ``` ------ #### [ CLI ] Run the following command to remove the `has_encrypted_data` property from your table. ``` aws athena start-query-execution \ --query-string "ALTER TABLE . UNSET TBLPROPERTIES ('has_encrypted_data');" \ --work-group "" ``` ------ 1. Update your workflows to use a basic S3 client instead of a S3 encryption client and then specify SSE-KMS encryption for data writes. # Encrypt Athena query results stored in Amazon S3 You set up query result encryption using the Athena console or when using JDBC or ODBC. Workgroups allow you to enforce the encryption of query results. **Note** When you encrypt query results, Athena encrypts all objects written by the query. This includes the results of statements like `INSERT INTO`, `UPDATE`, and queries of data in Iceberg or other formats. In the console, you can configure the setting for encryption of query results in two ways: + **Client-side settings** – When you use **Settings** in the console or the API operations to indicate that you want to encrypt query results, this is known as using client-side settings. Client-side settings include query results location and encryption. If you specify them, they are used, unless they are overridden by the workgroup settings. + **Workgroup settings** – When you [create or edit a workgroup](creating-workgroups.md) and select the **Override client-side settings** field, then all queries that run in this workgroup use the workgroup encryption and query results location settings. For more information, see [Override client-side settings](workgroups-settings-override.md). **To encrypt query results stored in Amazon S3 using the console** **Important** If your workgroup has the **Override client-side settings** field selected, then all queries in the workgroup use the workgroup settings. The encryption configuration and the query results location specified on the **Settings** tab in the Athena console, by API operations and by JDBC and ODBC drivers aren't used. For more information, see [Override client-side settings](workgroups-settings-override.md). 1. In the Athena console, choose **Settings**. ![\[The Settings tab of the Athena query editor.\]](http://docs.aws.amazon.com/athena/latest/ug/images/settings.png) 1. Choose **Manage**. 1. For **Location of query result**, enter or choose an Amazon S3 path. This is the Amazon S3 location where query results are stored. 1. Choose **Encrypt query results**. ![\[The Encrypt query results option on the Manage settings page of the Athena console.\]](http://docs.aws.amazon.com/athena/latest/ug/images/encrypt-query-results.png) 1. For **Encryption type**, choose **CSE-KMS**, **SSE-KMS**, or **SSE-S3**. Of these three, **CSE-KMS** offers the highest level of encryption and **SSE-S3** the lowest. 1. If you chose **SSE-KMS** or **CSE-KMS**, specify an AWS KMS key. + For **Choose an AWS KMS key**, if your account has access to an existing AWS KMS customer managed key, choose its alias or enter an AWS KMS key ARN. + If your account doesn't have access to an existing customer managed key, choose **Create an AWS KMS key**, and then open the [AWS KMS console](https://console.aws.amazon.com/kms). For more information, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*. **Note** Athena supports only symmetric keys for reading and writing data. 1. Return to the Athena console and choose the key that you created by alias or ARN. 1. Choose **Save**. ## Encrypt Athena query results when you use JDBC or ODBC If you connect using a JDBC or ODBC driver, you configure driver options to specify the type of encryption to use and the Amazon S3 staging directory location. To configure a JDBC or ODBC driver to encrypt your query results using any of the encryption protocols that Athena supports, see [Connect to Amazon Athena with ODBC and JDBC drivers](athena-bi-tools-jdbc-odbc.md). # Create tables based on encrypted datasets in Amazon S3 Athena can read and write to tables whose underlying datasets are SSE-S3, SSE-KMS, or CSE-KMS encrypted. Depending on the encryption option used for the table data and the type of queries ran, you will possibly have to specify some additional table properties in order to read and write encrypted data. ## Reading SSE-S3/SSE-KMS encrypted tables No additional table properties need to be specified on table creation in order to read SSE-S3/SSE-KMS encrypted datasets. Amazon S3 handles decrypting the SSE objects automatically. ## Reading CSE-KMS encrypted tables There are two different sets of table properties that can be specified in order for Athena to read CSE-KMS encrypted datasets, + Using the `encryption_option` and `kms_key` table properties (Recommended) + Using the `has_encrypted_data` table property **Important** If you use Amazon EMR along with EMRFS to upload CSE-KMS encrypted Parquet files, you must disable multipart uploads by setting `fs.s3n.multipart.uploads.enabled` to `false`. If you don't do this, Athena is unable to determine the Parquet file length and a **HIVE\$1CANNOT\$1OPEN\$1SPLIT** error occurs. For more information, see [Configure multipart upload for Amazon S3](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-upload-s3.html#Config_Multipart) in the *Amazon EMR Management Guide*. ### Using encryption\$1option and kms\$1key table properties In a [CREATE TABLE](create-table.md) statement, use a `TBLPROPERTIES` clause that specifies `encryption_option='CSE_KMS'` and `kms_key='aws_kms_key_arn'`, as in the following example. ``` CREATE EXTERNAL TABLE 'my_encrypted_data' ( `n_nationkey` int, `n_name` string, `n_regionkey` int, `n_comment` string) ROW FORMAT SERDE 'org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe' STORED AS INPUTFORMAT 'org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat' LOCATION 's3://amzn-s3-demo-bucket/folder_with_my_encrypted_data/' TBLPROPERTIES ( 'encryption_option' = 'CSE_KMS', 'kms_key' = 'arn:aws:kms:us-east-1:012345678901:key/my_kms_key') ``` When these properties are configured, + Athena can read CSE-KMS encrypted objects created by the V1, V2, or V3 Amazon S3 encryption clients. + Athena will use the AWS KMS key in `kms_key` to decrypt the CSE-KMS data. If any objects were encrypted with a different AWS KMS key, the query will fail. + Athena can still read SSE-S3 and SSE-KMS encrypted objects, though mixing server-side and client-side encrypted objects is not recommended. ### Using has\$1encrypted\$1data table property In a [CREATE TABLE](create-table.md) statement, use a `TBLPROPERTIES` clause that specifies `has_encrypted_data='true'`, as in the following example. ``` CREATE EXTERNAL TABLE 'my_encrypted_data' ( `n_nationkey` int, `n_name` string, `n_regionkey` int, `n_comment` string) ROW FORMAT SERDE 'org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe' STORED AS INPUTFORMAT 'org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat' LOCATION 's3://amzn-s3-demo-bucket/folder_with_my_encrypted_data/' TBLPROPERTIES ( 'has_encrypted_data' = 'true') ``` When the has\$1encrypted\$1data table property is specified, + Athena can only read CSE-KMS encrypted objects created by the V1 Amazon S3 encryption client. + Athena will infer the AWS KMS key used to encrypt the CSE-KMS object from the object metadata and then use that key to decrypt the object. + Athena can still read SSE-S3 and SSE-KMS encrypted objects, though mixing server-side and client-side encrypted objects is not recommended. **Note** When `encryption_option` and `kms_key` are specified alongside `has_encrypted_data`, the `encryption_option` and `kms_key` table properties take precedence, and `has_encrypted_data` is ignored. When you use the Athena console to [create a table using a form](data-sources-glue-manual-table.md) and specify the table location, select the **Encrypted data set** option to add the `has_encrypted_data='true'` property to the table. ![\[Select Encrypted data set in the add table form\]](http://docs.aws.amazon.com/athena/latest/ug/images/add-table-form-encrypted-option.png) In the Athena console list of tables, CSE-KMS encrypted tables with `has_encrypted_data='true'` display a key-shaped icon. ![\[Encrypted table icon\]](http://docs.aws.amazon.com/athena/latest/ug/images/tables-list-encrypted-table-icon.png) ## Writing SSE-S3/SSE-KMS/CSE-KMS encrypted data By default, newly inserted data files will be encrypted using the encryption configuration of the query results specified in the Athena workgroup. In order to write table data with a different encryption configuration than the encryption configuration of the query results, you will have to add some additional table properties. In a [CREATE TABLE](create-table.md) statement, use a `TBLPROPERTIES` clause that specifies `encryption_option='SSE_S3 | SSE_KMS | CSE_KMS'` and `kms_key='aws_kms_key_arn'`, as in the following example. ``` CREATE EXTERNAL TABLE 'my_encrypted_data' ( `n_nationkey` int, `n_name` string, `n_regionkey` int, `n_comment` string) ROW FORMAT SERDE 'org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe' STORED AS INPUTFORMAT 'org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat' LOCATION 's3://amzn-s3-demo-bucket/folder_with_my_encrypted_data/' TBLPROPERTIES ( 'encryption_option' = 'SSE_KMS', 'kms_key' = 'arn:aws:kms:us-east-1:012345678901:key/my_kms_key') ``` All newly inserted data will be encrypted using the encryption configuration specified by the table properties rather than using the encryption configuration of the query results in the workgroup. ## Considerations and Limitations When writing and reading encrypted datasets, consider the following points. + The `has_encrypted_data`, `encryption_option`, and `kms_key` table properties can only be used with Hive tables. + When creating a table with CSE-KMS encrypted data, we recommend that you ensure that all data is encrypted with the same AWS KMS key. + When creating a table with CSE-KMS encrypted data, we recommend that you ensure that all data is CSE-KMS encrypted and that there is not a mix of non-CSE-KMS and CSE-KMS encrypted objects.