# Migrate from CSE-KMS to SSE-KMS You can specify CSE-KMS encryption in two ways – during the workgroup query results encryption configuration and in the client-side settings. For more information, see [Encrypt Athena query results stored in Amazon S3](encrypting-query-results-stored-in-s3.md). During the migration process, it's important to audit your existing workflows that read and write CSE-KMS data, identify workgroups where CSE-KMS is configured, and locate instances where CSE-KMS is set through client-side parameters. ## Update workgroup query results encryption settings ------ #### [ Console ] **To update encryption settings in the Athena console** 1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/). 1. In the Athena console navigation pane, choose **Workgroups**. 1. On the **Workgroups** page, select the button for the workgroup that you want to edit. 1. Choose **Actions**, **Edit**. 1. Open **Query result configuration** and choose **Encrypt query results**. 1. For **Encryption type** section, choose **SSE\$1KMS** encryption option. 1. Enter your KMS key under **Choose a different AWS KMS key (advanced)**. 1. Choose **Save changes**. The updated workgroup appears in the list on the **Workgroups** page. ------ #### [ CLI ] Run the following command to update your query results encryption configuration to SSE-KMS in your workgroup. ``` aws athena update-work-group \ --work-group "my-workgroup" \ --configuration-updates '{ "ResultConfigurationUpdates": { "EncryptionConfiguration": { "EncryptionOption": "SSE_KMS", "KmsKey": "" } } }' ``` ------ ## Update client-side query results encryption settings ------ #### [ Console ] To update your client-side settings for query results encryption from CSE-KMS to SSE-KMS, see [Encrypt Athena query results stored in Amazon S3](encrypting-query-results-stored-in-s3.md). ------ #### [ CLI ] You can only specify query results encryption configuration in client-side settings with the `start-query-execution` command. If you run this CLI command and override the query results encryption configuration that you specified in your workgroup with CSE-KMS, change the command to encrypt query results using `SSE_KMS` as following. ``` aws athena start-query-execution \ --query-string "SELECT * FROM ;" \ --query-execution-context "Database=,Catalog=" \ --result-configuration '{ "EncryptionConfiguration": { "EncryptionOption": "SSE_KMS", "KmsKey": "" } }' \ --work-group "" ``` ------ **Note** After you update the workgroup or client-side settings, any new data that you insert by write queries uses the SSE-KMS encryption instead of CSE-KMS. This is because query results encryption configurations also apply to newly inserted table data. Athena query result, metadata, and manifest files are also encrypted with SSE-KMS. Athena can still read tables with the `has_encrypted_data` table property even when there are a mix of CSE-KMS encrypted and SSE-S3/SSE-KMS objects. # Convert CSE-KMS table data to SSE-KMS If your workflows currently use CSE-KMS for table data encryption, transition to SSE-KMS with the following steps. ## Prerequisite If you still write data using a CSE-KMS workgroup or client-side settings, follow the steps in [Migrate from CSE-KMS to SSE-KMS](migrating-csekms-ssekms.md) to update it to SSE-KMS. This prevents new CSE-KMS encrypted data from being added during the migration process from any other workflows that might write to the tables. ## Data migration 1. Check if the table has the `has_encrypted_data` property set to `true`. This property specifies that the table might contain CSE-KMS encrypted data. However, it's important to note that this property could be present even on tables without any actual CSE-KMS encrypted data. ------ #### [ Console ] 1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/). 1. Choose **Launch query editor**. 1. On the left side of the editor, under **Database**, choose the database that you want to query. 1. In the Query editor, run the following query to see the value set to the `has_encrypted_data table` property. ``` SHOW TBLPROPERTIES ('has_encrypted_data'); ``` ------ #### [ CLI ] Start Athena query that shows the value of the `has_encrypted_data` property on the table as shown in the following example. ``` aws athena start-query-execution \ --query-string "SHOW TBLPROPERTIES ('has_encrypted_data');" \ --work-group "" ``` Fetch query results to check the value of `has_encrypted_data` table property for the table as shown in the following example. ``` aws athena get-query-results --query-execution-id ``` ------ 1. For each CSE-KMS encrypted object in the table. 1. Download the object from S3 using the S3 encryption client and decrypt it. Here is an example with AWS Java SDK V2. **Imports** ``` import software.amazon.awssdk.core.ResponseInputStream; import software.amazon.awssdk.services.s3.model.GetObjectRequest; import software.amazon.awssdk.services.s3.model.GetObjectResponse; import software.amazon.encryption.s3.S3EncryptionClient; import software.amazon.encryption.s3.materials.Keyring; import software.amazon.encryption.s3.materials.KmsDiscoveryKeyring; ``` Code ``` final Keyring kmsDiscoveryKeyRing = KmsDiscoveryKeyring.builder() .enableLegacyWrappingAlgorithms(true) .build(); final S3EncryptionClient s3EncryptionClient = S3EncryptionClient.builder() .enableLegacyUnauthenticatedModes(true) .keyring(kmsDiscoveryKeyRing) .build(); GetObjectRequest getObjectRequest = GetObjectRequest.builder() .bucket("amzn-s3-demo-bucket") .key("") .build(); ResponseInputStream s3Object = s3EncryptionClient.getObject(getObjectRequest); ``` 1. Upload the object to S3 with the same name and SSE-KMS encryption. Here is an example with AWS Java SDK V2. **Imports** ``` import software.amazon.awssdk.core.ResponseInputStream; import software.amazon.awssdk.core.sync.RequestBody; import software.amazon.awssdk.services.s3.S3Client; import software.amazon.awssdk.services.s3.model.PutObjectRequest; import software.amazon.awssdk.services.s3.model.ServerSideEncryption; ``` **Code** ``` final S3Client s3Client = S3Client.builder() .build(); PutObjectRequest putObjectRequest = PutObjectRequest.builder() .bucket("amzn-s3-demo-bucket") .key("") .serverSideEncryption(ServerSideEncryption.AWS_KMS) .ssekmsKeyId("") .build(); s3Client.putObject(putObjectRequest, RequestBody.fromBytes(s3Object.readAllBytes())); ``` ## Post migration After successfully re-encrypting all CSE-KMS files in the table, perform the following steps. 1. Remove the `has_encrypted_data` property from the table. ------ #### [ Console ] 1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/). 1. Choose **Launch query editor**. 1. On the left side of the editor, under **Database**, choose the database that you want to query. 1. In the Query editor, run the following query for your table. ``` ALTER TABLE . UNSET TBLPROPERTIES ('has_encrypted_data') ``` ------ #### [ CLI ] Run the following command to remove the `has_encrypted_data` property from your table. ``` aws athena start-query-execution \ --query-string "ALTER TABLE . UNSET TBLPROPERTIES ('has_encrypted_data');" \ --work-group "" ``` ------ 1. Update your workflows to use a basic S3 client instead of a S3 encryption client and then specify SSE-KMS encryption for data writes.