Amazon Athena Security: 6 essential tips

Editor's Note: This article was originally written by Gilad Maayan. Other contributors helped update it for accuracy in 2026.

Amazon Athena is a popular cloud service that enables lightning-fast queries on vast volumes of data in Amazon S3. It is 100% serverless, running without requiring the user to set up a server they can see or manage, making it highly convenient for data teams. 

Athena sidesteps the traditional data pipeline, enabling advanced analysis directly on the data without preprocessing or specialized analytics software. At the same time, it also sidesteps many of your organization's existing security measures. 

Athena enables analysts to gain direct access to sensitive data in S3 and derive valuable insights that may be similarly confidential. Your organization must have proper visibility into who performs Athena queries, why and whether they are authorized to access the data. The use of Athena may also have compliance implications. 

Want hands-on AWS experience? Get started with our free AWS Cloud workshop to build practical cloud security skills in an interactive environment. 

What is Amazon Athena? 

Amazon Athena provides an interactive query service that lets you run standard SQL queries directly in Amazon Simple Storage Service (Amazon S3). 

To use Athena: 

• Go to the AWS Management Console. 
• Point Athena at any relevant data stored in your S3 bucket. 
• Use SQL to run any ad-hoc queries. You'll be able to get results in seconds. 

Athena is a serverless service that eliminates the need for infrastructure setup and management. The service lets you pay only for the queries you run and automatically scales to meet your needs. Athena can run queries in parallel and provide fast results, even when analyzing large datasets or running complex queries. 

Here are some key ways to enhance Amazon Athena security as part of your comprehensive AWS security strategy. 

Logging and monitoring in Athena 

Robust monitoring is a critical part of security, and it can be challenging in serverless environments. Amazon provides built-in monitoring options that enable you to collect and respond to security event data in Athena. 

You can use Amazon CloudTrail to capture security-relevant information, such as: 

• Actions performed by any IAM role, the user or AWS service in Athena 
• Calls to the Athena API 
• Actions on the Athena console 

You can use Amazon CloudWatch Events for change management, tracking operational changes in Athena, such as: 

• Feature activation 
• Configuration changes 
• Connection to S3 buckets 

It is also possible to trigger a rule on API calls in CloudTrail to generate custom CloudWatch events. 

Enhanced query result encryption 

Starting in 2023, Athena expanded its encryption settings to improve the security of query results. You can now ensure all query results are encrypted at or above a level of encryption that you specify. This prevents users from overriding default encryption settings for individual queries, maintaining consistent Amazon Athena security across your organization. 

When you query data, sensitive information may appear in the results. To reduce the impact of unauthorized access by an untrusted third party, it is recommended that you encrypt your query results. You can use the Athena console, AWS CLI, API or SDK to configure the minimum level of encryption you want. For more details, see Amazon's announcement on minimum encryption requirements. 

Query string redaction in CloudTrail logs 

As of July 2023, Athena began redacting query strings from CloudTrail logs to prevent the unintended disclosure of table names or filter values that could contain sensitive information. The query string now includes the value OMITTED in CloudTrail logs. 

If you previously relied on CloudTrail logs to access full query strings, use the Athena GetQueryExecution API and pass in the value of responseElements.queryExecutionId from the CloudTrail log. This change enhances security by protecting potentially sensitive information in your queries from being logged. 

Improving visibility with XDR 

While Athena provides basic capabilities for logging and monitoring, it can be challenging to integrate these logs with traditional security tools. There is no physical machine or VM on which security teams can install an agent, so conventional security tools cannot manage or control Athena usage. The same applies to S3 buckets. This also means that Athena activity will not be visible to traditional security tools. 

To achieve a holistic view of activity across serverless tools like Athena, you'll need a security paradigm that works with any data source, whether it's based on traditional agent-based security tooling or not. 

Extended Detection and Response (XDR) is an approach to threat detection that provides unified visibility across all layers of the IT environment, including cloud services and serverless environments. XDR tools directly integrate with cloud providers, including AWS, to provide direct access to data from CloudTrail and CloudWatch. They can help detect anomalous activity in Athena logs and combine that activity with related events in other systems (for example, failed login attempts logged in Amazon IAM). 

While XDR might seem like overkill for protecting Athena, consider that your organization likely uses other cloud-native technologies that are similarly difficult to monitor and secure. XDR addresses security concerns across multiple cloud services on AWS and other clouds. 

Connecting to Amazon Athena using an interface VPC endpoint 

A significant threat vector for Athena, or any analytics service, is the interception of communication by attackers, for example, by Man in the Middle (MitM) attacks or session hijacking. 

To reduce the chances of attackers exfiltrating data pulled by Athena, you can use two security measures: 

• Run Athena in a virtual private cloud (VPC), a secure private network within an Amazon data center 
• Amazon PrivateLink, which lets you create a secure, private connection between your local data center and your VPC 

If you cannot run Athena in a VPC for some reason, you can use the Amazon VPN service to connect to non-VPC resources securely. 

TLS encryption for data in transit 

Athena uses Transport Layer Security (TLS) encryption for all data passing between S3 and Athena, as well as between Athena and any customer application attempting to access Athena. AWS requires TLS 1.2 and recommends TLS 1.3, with cipher suites that support perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). 

To allow only encrypted connections with HTTPS (TLS), you can apply the aws:SecureTransport condition on S3 bucket IAM policies. This ensures that all communications remain encrypted and protected from interception. 

Securing S3 data you need to query with Athena 

Here is a five-step process you can use to secure an S3 storage bucket queried by Athena: 

1. Restrict public access to your S3 bucket

Your source S3 bucket should NOT be publicly accessible. Unless you want the bucket to be publicly accessible, do not enable this option. You can change this option for each bucket directly from the AWS console.  

2. Encrypt your S3 bucket 

You can encrypt your S3 bucket from the AWS console or encrypt your source files. All data in your S3 bucket should be encrypted. You can do this by applying encryption at rest on the bucket. 

You can use the AWS Key Management Service (KMS), which offers three types of keys: 

• SSE-S3 lets S3 manage your encryption key 
• CSE-KMS enables you to create your own key, which KMS uses 
• SSE-KMS lets KMS generate and manage a key 

Ideally, you should use SSE-KMS keys, which let you control access to the key. 

3. Encrypt your query results 

Athena stores all query results in a pre-configured Amazon S3 location, known as an S3 staging directory. Encrypting an S3 bucket and source files does not help encrypt query results. You need to encrypt your staging directory to encrypt all data at rest. 

You should not use the same key to encrypt your stored data and query results. Ideally, use different keys for query results to ensure that a compromised key does not compromise all data. With Athena's 2023 enhancement, you can now set minimum encryption requirements that individual users cannot override. 

4. Encrypt your Glue Data Catalog

The Data Catalog contains all Athena table definitions, as well as other metadata. Once your catalog is encrypted, Athena table definitions are encrypted (excluding the data). 

5. Control access to encrypted data 

Bucket policies can help you fine-tune access to your source data. A bucket policy can specify who has access to a specific S3 bucket and the actions they are allowed to perform on its contents. For example, you can use a policy to prevent certain users from decrypting the data. 

Additionally, you can set a bucket policy that allows identity and access management (IAM) users of particular AWS accounts to gain access to the bucket. That way, if an unauthorized user gains access to your bucket's encryption KMS key, they may not be able to access the contents because the policy explicitly denies access to this role, group or individual user. 

Access control for Athena queries 

Unlike traditional databases, Athena does not support user accounts. To control access to Athena, you must use IAM policies, including the two following AWS-managed IAM policies for Athena: 

• AmazonAthenaFullAccess: grants users permission to perform all actions on Athena 
• AWSQuicksightAthenaAccess: ideal for IAM users who use Amazon QuickSight to access Athena 

You should also create the two following custom IAM policies for the following types of Athena users: 

• Power-user policy: grants the user permission to create, modify and delete Athena objects such as databases, views and tables 
• Analyst user policy: does not provide any administrative privileges 

After creating these policies, do the following: 

1. Create two roles and then assign each policy to the relevant role. 
2. Assign the new roles to the relevant IAM groups. 
3. Assign individual IAM users to IAM groups based on each user's access requirements. 
4. Optional: assign the new roles to the instance for Athena queries running from an Amazon Elastic Compute Cloud (EC2) instance. 

Fine-grained access control with AWS Lake Formation 

For organizations requiring granular control over data access, AWS Lake Formation provides column-, row- and cell-level permissions on your S3 data lake tables. When users query data in Athena, Lake Formation automatically enforces these permissions. 

With Lake Formation, administrators can: 

• Grant access to specific columns while hiding sensitive data 
• Implement row-level security to filter data based on user roles 
• Apply cell-level controls for maximum security precision 
• Use data filters to mask or anonymize sensitive information in query results 

Lake Formation simplifies permission management compared to the complexity of S3 bucket policies and IAM configurations. It provides temporary credentials to Athena for each query, ensuring that users only access data they're authorized to see. When a user submits a query, Lake Formation verifies permissions and provides short-term credentials to access the data, which are discarded after the query completes. 

Learn more about Lake Formation integration in the AWS documentation. 

Conclusion 

Security for serverless cloud services is not straightforward. With these six approaches, you can enhance and develop your Amazon Athena security strategy:

1. Logging and monitoring: Using Amazon tools to collect and analyze information about Amazon Athena activity, including the new query string redaction feature and minimum encryption requirements. 
2. Improving visibility with XDR: Leveraging a new generation of security tools to collect Athena logs, combine with activity on other IT systems and detect abnormal activity. 
3. Accessing Athena via VPC endpoints: Connecting to Athena using a secure Amazon PrivateLink with TLS 1.2 or higher encryption. 
4. Securing S3 data: Athena works with Amazon S3, and if you don't secure your buckets, Athena won't be secure either. Ensure sensitive data in S3 is protected by authentication and encryption. 
5. Control access to encrypted data on S3: Utilize bucket policies and Lake Formation to determine who has access to a storage bucket and what actions they can take with it. 
6. Access control for Athena queries: Use Amazon IAM and AWS Lake Formation to control who has full admin access to Athena and who can only perform analyst-level queries. 

Ready to advance your cloud security career? Check out our AWS Certified Security Engineer Boot Camp to prepare for the AWS Security Specialty certification with an Exam Pass Guarantee. You can also explore the broader AWS certification path to find the proper credential for your career goals.