# Configured tables in AWS Clean Rooms
<a name="working-with-configured-tables"></a>

A *configured table* is a reference to an existing table in a data source. It contains an analysis rule that determines how the data can be queried in AWS Clean Rooms and can include a data access budget to control table usage. Configured tables can be associated to one or more collaborations.

With AWS Clean Rooms, you can perform aggregation analysis on event data, such as number of purchases compared to number of purchases. You can also perform list analysis on event data, such as enriching overlapping customer data from segment data to CRM data. You can also perform custom queries and set differential privacy on event data, such as viewership data and segment attributes. For any of these analysis types, you can set data access budgets to monitor and control how much of your data is accessed through queries.

First, you create a collaboration in AWS Clean Rooms and add the AWS accounts you want to invite, or join a collaboration you're invited to by creating a membership. Next, you and the other member in the collaboration create configured tables. You both add an analysis rule to the configured tables (aggregation, list, or custom) and optionally set data access budgets. Then, you associate the configured tables to the collaboration. Finally, the member who can query runs a query across the two data tables, consuming the data access budget as queries are executed.

The following diagram summarizes how to work with event data in AWS Clean Rooms.

![\[Diagram explaining how to work with event data in AWS Clean Rooms\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/images/how-it-works-event-data.png)


**Topics**
+ [Creating a configured table in AWS Clean Rooms](create-configured-table.md)
+ [Adding an analysis rule to a configured table](add-analysis-rule.md)
+ [Associating a configured table to a collaboration](associate-configured-table.md)
+ [Configuring a data access budget](configure-data-access-budget.md)
+ [Adding a collaboration analysis rule to a configured table](add-collaboration-analysis-rule.md)
+ [Configuring differential privacy policy (optional)](configure-differential-privacy.md)
+ [Viewing tables and analysis rules](view-tables.md)
+ [Editing a configured table](edit-configured-table.md)
+ [Editing configured table tags](edit-config-table-tags.md)
+ [Editing the configured table analysis rule](edit-config-table-analysis-rule.md)
+ [Deleting the configured table analysis rule](delete-config-table-analysis-rule.md)
+ [Configured table disallowed columns](disallowed-columns.md)
+ [Editing configured table associations](edit-config-table-assoc.md)
+ [Disassociating configured tables](disassociate-config-table.md)

# Creating a configured table in AWS Clean Rooms
<a name="create-configured-table"></a>

A *configured table* is a reference to an existing table in a data source. It contains an analysis rule that determines how the data can be queried in AWS Clean Rooms. Configured tables can be associated to one or more collaborations.

For information about how to create a configured table using the AWS SDKs, see the [https://docs.aws.amazon.com/clean-rooms/latest/apireference/Welcome.html](https://docs.aws.amazon.com/clean-rooms/latest/apireference/Welcome.html).

**Topics**
+ [Creating a configured table – Amazon S3 data source](create-config-table-s3.md)
+ [Creating a configured table – Amazon Athena data source](create-config-table-athena.md)
+ [Creating a configured table – Snowflake data source](create-config-table-snowflake.md)

# Creating a configured table – Amazon S3 data source
<a name="create-config-table-s3"></a>

In this procedure, the [member](glossary.md#glossary-member) does the following tasks: 
+  Configures an existing AWS Glue table for use in AWS Clean Rooms. (This step can be done before or after joining a collaboration, unless using Cryptographic Computing for Clean Rooms.)
**Note**  
AWS Clean Rooms supports AWS Glue tables. For more information about getting your data in AWS Glue, see [Step 3: Upload your data table to Amazon S3](prepare-data-S3.md#upload-to-s3). 
+ Names the [configured table](glossary.md#glossary-configured-table) and chooses which columns to use in the collaboration.

The following procedure assumes that:
+ The collaboration member has already [uploaded their data tables to Amazon S3](prepare-data-S3.md#upload-to-s3) and [created an AWS Glue table](prepare-data-S3.md#create-glue-crawler).
**Note**  
The **Results destination in Amazon S3** can't be within the same S3 bucket as any data source.
+ (Optional) For [encrypted](glossary.md#glossary-encryption) data tables only, the collaboration member has already [prepared encrypted data tables](prepare-encrypted-data.md) using the C3R encryption client.

You can use the statistic generation provided by AWS Glue to compute column-level statistics for AWS Glue Data Catalog tables. After AWS Glue generates statistics for tables in the Data Catalog, Amazon Redshift Spectrum automatically uses those statistics to optimize the query plan. For more information about computing column-level statistics using AWS Glue, see [Optimizing query performance using column statistics](https://docs.aws.amazon.com/glue/latest/dg/column-statistics.html) in the *AWS Glue User Guide*. For more information about AWS Glue, see the *[AWS Glue Developer Guide](https://docs.aws.amazon.com/glue/latest/dg/what-is-glue.html)*.

**To create a configured table – Amazon S3 data source**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. In the upper right corner, choose **Configure new table**.

1. For **Data source**, under **AWS data sources**, choose **Amazon S3**. 

1. Under **Amazon S3 table**: 

   1. Select the **Region** where the S3 table is hosted.

      By default, the current Region (such as N. Virginia us-east-1) is selected. 
**Warning**  
When your Amazon S3 data source is in a different Region than your processing location, data processing may occur temporarily outside the source Region. Before proceeding, verify that cross-Region data movement complies with your data sovereignty requirements, regulatory compliance policies, and data governance standards. 

      For more information about Regions, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *AWS General Reference*. 

   1. Choose the **Database** from the dropdown list.

   1. Choose the **Table** that you want to configure from the dropdown list.
**Note**  
To verify that this is the correct table, do either one of the following:  
Choose **View in AWS Glue**.
Turn on **View schema from AWS Glue** to view the schema.
**Important**  
For AWS Glue tables where the data is in CSV format, the column names and order in the Glue schema must exactly match the CSV data. If they don't align, the allowed columns list for the configured table might not be enforced properly.

1. For **Columns and analysis methods allowed in collaborations**, 

   1. For **Which columns do you want to allow in collaborations?**
      + Choose **All columns** to allow all columns to be queried in the collaboration.
      + Choose **Custom list** to allow one or more columns from the **Specify allowed columns** dropdown list to be queried in the collaboration.

   1. For **Allowed analysis methods**,

      1. Choose **Direct query** to allow SQL queries to be run directly on this table

      1. Choose **Direct job** to allow PySpark jobs to be run directly on this table.  
**Example**  

   For example, if you want to allow collaboration members to run both direct SQL queries and PySpark jobs on all columns, then choose **All columns**, **Direct query**, and **Direct job**.

1. For **Configured table details**, 

   1. Enter a **Name** for the configured table.

      You can use the default name or rename this table.

   1. Enter a **Description** of the table. 

      The description helps differentiate between other configured tables with similar names.

1. If you want to enable **Tags** for the configured table resource, choose **Add new tag** and then enter the **Key** and **Value** pair. 

1. Choose **Configure new table**. 

Now that you have created a configured table, you are ready to: 
+ [Add an analysis rule to the configured table](add-analysis-rule.md)
+ [Associate the configured table to a collaboration](associate-configured-table.md)

# Creating a configured table – Amazon Athena data source
<a name="create-config-table-athena"></a>

The Amazon Athena data source option allows you to query data stored in Amazon S3, cataloged in the AWS Glue data catalog or federated catalogs, and access controlled via AWS Lake Formation. Both tables and AWS Glue Data Catalog Views are supported. Lake Formation resource links can be used to share tables and views across AWS accounts and across AWS Regions to the AWS Clean Rooms member account that joins them to an AWS Clean Rooms collaboration. 

**Note**  
Only Amazon S3-based datasets can be queried via the Athena data source integration.

In this procedure, the [member](glossary.md#glossary-member) does the following tasks: 
+ Configures an existing table or view in the AWS Glue Data Catalog for use the AWS Clean Rooms
+ Names the [configured table](glossary.md#glossary-configured-table) and chooses which columns to use in the collaboration.

The following procedure assumes that:
+ The collaboration member has already created the AWS Glue Data Catalog database and table or GDC view. 

**To create a configured table – Athena data source**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. In the upper right corner, choose **Configure new table**.

1. For **Data source**, under **AWS data sources**, choose **Amazon Athena**. 

1. Under **Amazon Athena table**: 

   1. Select the **Region** where the Amazon Athena table is hosted.

      By default, the current Region (such as N. Virginia us-east-1) is selected. 
**Warning**  
When your Amazon Athena data source is in a different Region than your processing location, data processing may occur temporarily outside the source Region. Before proceeding, verify that cross-Region data movement complies with your data sovereignty requirements, regulatory compliance policies, and data governance standards. 

      For more information about Regions, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *AWS General Reference*. 

   1. Choose the **Catalog** from the dropdown list.

      By default, **AWS Glue Data Catalog** is selected.
      + **AWS Glue Data Catalog** – The default catalog for tables in AWS Glue.
      + **Federated catalog** – Available if you've configured AWS Glue Catalog Federation to connect to remote Apache Iceberg REST catalogs. For more information, see [Catalog federation](https://docs.aws.amazon.com/lake-formation/latest/dg/catalog-federation.html) in the *AWS Lake Formation Developer Guide*.

   1. Choose the **Database** from the dropdown list.

   1. Choose the **Table** that you want to configure from the dropdown list.
**Note**  
To verify that this is the correct table, do either one of the following:  
Choose **View in AWS Glue** or **View in AWS Lake Formation** (depending on your catalog type).
Turn on **View schema from AWS Glue** to view the schema.

1. For **Amazon Athena configurations**,

   1. Choose a **Workgroup** from the dropdown list.

   1. For **S3 output location**, choose a recommended action, based on one of the following scenarios.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/create-config-table-athena.html)

1. For **Columns allowed in collaborations**, choose an option based on your goal.     
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/create-config-table-athena.html)

1. For **Configured table details**, 

   1. Enter a **Name** for the configured table.

      You can use the default name or rename this table.

   1. Enter a **Description** of the table. 

      The description helps differentiate between other configured tables with similar names.

   1. If you want to enable **Tags** for the configured table resource, choose **Add new tag** and then enter the **Key** and **Value** pair. 

1. Choose **Configure new table**. 

Now that you have created a configured table, you are ready to: 
+ [Add an analysis rule to the configured table](add-analysis-rule.md)
+ [Associate the configured table to a collaboration](associate-configured-table.md)

# Creating a configured table – Snowflake data source
<a name="create-config-table-snowflake"></a>

In this procedure, the [member](glossary.md#glossary-member) does the following tasks: 
+ Configures an existing Snowflake table for use in AWS Clean Rooms. (This step can be done before or after joining a collaboration, unless using Cryptographic Computing for Clean Rooms.)
+ Names the [configured table](glossary.md#glossary-configured-table) and chooses which columns to use in the collaboration.

The following procedure assumes that:
+ The collaboration member has already uploaded their data tables to Snowflake.
+ (Optional) For [encrypted](glossary.md#glossary-encryption) data tables only, the collaboration member has already [prepared encrypted data tables](prepare-encrypted-data.md) using the C3R encryption client.

**To create a configured table – Snowflake data source**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. In the upper right corner, choose **Configure new table**.

1. For **Data source**, under **Third-party clouds and data sources**, choose **Snowflake**. 

1. Specify the **Snowflake credentials** using an existing secret ARN or storing a new secret for this table.

------
#### [ Use existing secret ARN ]

   1. If you have a secret ARN, enter it in the **Secret ARN** field. 

      You can look up your secret ARN by choosing **Go to AWS Secrets Manager**.

   1. If you have an existing secret from another table, choose **Import secret ARN from existing table**. 

**Note**  
The secret ARN can be cross-account. 

------
#### [ Store a new secret for this table ]

   1. Enter the following Snowflake credentials:
      + **Snowflake username**
      + **Snowflake warehouse**
      + **Snowflake role**
      + **Snowflake Privacy Enhanced Mail (PEM) private key** 

   1. For encryption, do one of the following:
      + To use the AWS managed key (default), leave the **Customize encryption settings** checkbox cleared. 
      + To use a custom AWS KMS key:
        + Select the **Customize encryption settings** checkbox.
        + For **KMS key**, enter the key ARN or choose one from the list.

   1. Enter a **Secret name** to help you find your credentials later.

------

1. For **Snowflake table and schema details**, enter the details manually or automatically import the details.

------
#### [ Enter the details manually ]

   1. Enter the **Snowflake account identifier**.

      For more information, see [Account identifiers](https://docs.snowflake.com/en/user-guide/admin-account-identifier#finding-the-organization-and-account-name-for-an-account) in the Snowflake documentation. 

      Your account identifier must be in the format used for Snowflake drivers. You need to replace the period (.) with a hyphen (-) so the identifier is formatted as **<orgname>-<account\$1name>**.

   1. Enter the **Snowflake database**.

      For more information, see [Snowflake database](https://docs.snowflake.com/en/sql-reference/snowflake-db) in the Snowflake documentation.

   1. Enter the **Snowflake schema name**.

   1. Enter the **Snowflake table name**.

      For more information, see [Understanding Snowflake Table Structures](https://docs.snowflake.com/en/user-guide/tables-micro-partitions) in the Snowflake documentation. 

   1. For the **Schema**, enter the **Column name** and choose the **Data type** from the dropdown list. 

   1. Choose **Add column** to add more columns.
      +  If you choose an **Object data type**, specify the **Object schema**.   
**Example object schema**  

        ```
        name STRING,
        location OBJECT(
            x INT, 
            y INT, 
            metadata OBJECT(uuid STRING)
        ),
        history ARRAY(TEXT)
        ```
      + If you choose an **Array data type**, specify the **Array schema**.  
**Example array schema**  

        ```
        OBJECT(x INT, y INT)
        ```
      + If you choose a **Map data type**, specify the **Map schema**.  
**Example map schema**  

        ```
        STRING, OBJECT(x INT, y INT)
        ```

------
#### [ Automatically import the details ]

   1. Export your COLUMNS view from Snowflake as a CSV file.

      For more information about the Snowflake COLUMNS view, see [COLUMNS view](https://docs.snowflake.com/en/sql-reference/info-schema/columns) in the Snowflake documentation.

   1. Choose **Import from file** to import the CSV file and specify any additional information. 

      The database name, schema name, table name, column names and data types are automatically imported.
      +  If you choose an **Object data type**, specify the **Object schema**. 
      + If you choose an **Array data type**, specify the **Array schema**.
      + If you choose a **Map data type**, specify the **Map schema**.

   1. Enter the **Snowflake account identifier**.

      For more information, see [Account identifiers](https://docs.snowflake.com/en/user-guide/admin-account-identifier#finding-the-organization-and-account-name-for-an-account) in the Snowflake documentation. 

**Note**  
 Only S3 tables cataloged in AWS Glue can be used to retrieve the table schema automatically.

------

1. For **Columns allowed in collaborations**, choose an option based on your goal.     
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/create-config-table-snowflake.html)

1. For **Configured table details**, 

   1. Enter a **Name** for the configured table.

      You can use the default name or rename this table.

   1. Enter a **Description** of the table. 

      The description helps differentiate between other configured tables with similar names.

   1. If you want to enable **Tags** for the configured table resource, choose **Add new tag** and then enter the **Key** and **Value** pair. 

1. Choose **Configure new table**. 

Now that you have created a configured table, you are ready to: 
+ [Add an analysis rule to the configured table](add-analysis-rule.md)
+ [Associate the configured table to a collaboration](associate-configured-table.md)

# Adding an analysis rule to a configured table
<a name="add-analysis-rule"></a>

The following sections describe how to add an analysis rule to your configured table. By defining the analysis rules, you can authorize the member who can query to run queries that match a specific analysis rule supported by AWS Clean Rooms.

AWS Clean Rooms supports the following types of analysis rules:
+ [Aggregation analysis rule](analysis-rules-aggregation.md)
+ [List analysis rule](analysis-rules-list.md)
+ [Custom analysis rule in AWS Clean Rooms](analysis-rules-custom.md)

There can be only one analysis rule per configured table. You can configure the analysis rule any time before you associate your configured tables with the collaboration.

**Important**  
If you are using Cryptographic Computing for Clean Rooms and have encrypted data tables in the collaboration, the analysis rule you add to the encrypted configured table should be consistent with how the data was encrypted. For example, if you encrypted the data for SELECT (aggregation analysis rule), you shouldn't add the analysis rule for JOIN (list analysis rule).

**Topics**
+ [Adding an aggregation analysis rule to a table (guided flow)](#add-agg-analysis-rule-console-wizard)
+ [Adding a list analysis rule to a table (guided flow)](#add-list-analysis-rule-console-wizard)
+ [Adding a custom analysis rule to a table (guided flow)](#add-custom-analysis-rule-wizard)
+ [Adding analysis rule to a table (JSON editor)](#add-analysis-rule-console-json-editor)
+ [Next steps](#add-analysis-rule-next-step)

## Adding an aggregation analysis rule to a table (guided flow)
<a name="add-agg-analysis-rule-console-wizard"></a>

The *aggregation analysis rule* allows queries that aggregate statistics without revealing row-level information using COUNT, SUM, and AVG functions along optional dimensions.

This procedure describes the process of adding an aggregation analysis rule to your configured table by using the **Guided flow** option in the AWS Clean Rooms console.

**Note**  
Configured tables using non-S3 data sources only support [custom analysis rules](#add-custom-analysis-rule-wizard).

**To add the aggregation analysis rule to a table (guided flow)**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. Choose the configured table.

1. On the configured table detail page, choose **Configure analysis rule**.

1. Under **Step 1: Choose analysis rule type**, under **Analysis rule type**, choose the **Aggregation** option.

1. Under **Creation method**, select **Guided flow**, and then choose **Next**. 

1. Under **Step 2: Specify query controls**, for **Aggregate functions**:

   1. Choose an **Aggregate function** from the dropdown:
      + **COUNT**
      + **COUNT DISTINCT**
      + **SUM**
      + **SUM DISTINCT**
      + **AVG**

   1. Choose which columns can be used in the **Aggregate function** from the **Columns** dropdown.

   1. (Optional) Choose **Add another function** to add another aggregate function and associate one or more columns to that function.
**Note**  
At least one aggregate function is required.

   1. (Optional) Choose **Remove** to remove an aggregate function.

1. For **Join controls**, 

   1. Choose one option for **Allow table to be queried by itself**:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

   1. Under **Specify join columns**, choose the columns that you want to allow to be used in the INNER JOIN statement.

      This is *optional* if you have selected **Yes** in the previous step.

   1. Under **Specify allowed operators for matching**, choose which, if any, operators can be used for matching on multiple join columns. If you select two or more JOIN columns, one of these operators is required.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

1. *(Optional)* For **Dimension controls**, in the **Specify dimension columns** dropdown, choose which columns you want to allow to be used in the SELECT statement, and the WHERE, GROUP BY, and ORDER BY parts of the query.
**Note**  
Aggregate function or join columns can’t be used as **Dimension** columns.

1. For **Scalar functions**, choose one option for **Which scalar functions do you want to allow?**    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

   For more information, see [Scalar functions](analysis-rules-aggregation.md#scalar-functions).

1. Choose **Next**.

1. Under **Step 3: Specify query results controls**, for **Aggregation constraints**:

   1. Select the dropdown list for each **Column name**.

   1. Select the dropdown list for each **Minimum number of distinct values** that must be met for each output row to be returned, after the COUNT DISTINCT function is applied to it.

   1. Choose **Add constraint** to add more aggregation constraints.

   1. (Optional) Choose **Remove** to remove an aggregation constraint.

1. For **Additional analyses applied to output**, select an option based on your goal.     
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

1. Choose **Next**.

1. Under **Step 4: Review and configure**, review the selections you’ve made for the previous steps, edit if necessary, and then choose **Configure analysis rule**.

You see a confirmation message that you’ve successfully configured an aggregation analysis rule to the table.

## Adding a list analysis rule to a table (guided flow)
<a name="add-list-analysis-rule-console-wizard"></a>

The *list analysis rule* allows queries that output row-level lists of the overlap between the associated table and a table of the member who can query.

This procedure describes the process of adding the list analysis rule to your configured table using the **Guided flow** option in the AWS Clean Rooms console. 

**Note**  
Configured tables using non-S3 data sources only support [custom analysis rules](#add-custom-analysis-rule-wizard).

**To add a list analysis rule to a table (guided flow)**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. Choose the configured table.

1. On the configured table detail page, choose **Configure analysis rule**.

1. Under **Step 1: Choose analysis rule type**, under **Analysis rule type**, choose the **List** option.

1. Under **Creation method**, select **Guided flow**, and then choose **Next**. 

1. Under **Step 2: Specify query controls**, for **Join controls**:

   1. Under **Specify join columns**, choose the columns that you want to allow to be used in the INNER JOIN statement.

   1. Under **Specify allowed operators for matching**, choose which, if any, operators can be used for matching on multiple join columns. If you select two or more JOIN columns, one of these operators is required.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

1. *(Optional)* For **List controls**, in the **Specify list columns** dropdown, choose which columns you want to allow to be used in the query output (that is, used in the SELECT statement), or used to filter results (that is, the WHERE statement).

1. Choose **Next**.

1. Under **Step 3: Specify query results controls**, for **Additional analyses applied to output**, select an option based on your goal.     
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

1. Under **Step 4: Review and configure**, review the selections you’ve made for the previous steps, edit if necessary, and then choose **Configure analysis rule**.

You see a confirmation message that you’ve successfully configured a list analysis rule for the table.

## Adding a custom analysis rule to a table (guided flow)
<a name="add-custom-analysis-rule-wizard"></a>

The custom analysis rule enables custom SQL queries or PySpark jobs on a configured table. The custom analysis rule is required if you're using:
+ [Analysis templates](create-analysis-template.md) to allow a specific set of pre-approved SQL queries or PySpark jobs or a specific set of accounts that can provide queries that use your data.
+ [AWS Clean Rooms Differential Privacy](differential-privacy.md) to protect against user-identification attempts.
+ Non-S3 data sources, such as Amazon Athena or Snowflake.

This procedure describes the process of adding the custom analysis rule to your configured table using the **Guided flow** option in the AWS Clean Rooms console. 

**To add a custom analysis rule to a table (guided flow)**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. Choose the configured table.

1. On the configured table detail page, choose **Configure analysis rule**.

1. Under **Step 1: Choose analysis rule type**, under **Analysis rule type**, choose the **Custom** option.

1. Under **Creation method**, select **Guided flow**, and then choose **Next**. 

1. Under **Step 2: Specify analysis controls**, for **Direct analysis controls**, choose an option based on your goal.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

1. Under **Step 3: Specify analysis results controls**, 

   1. For **Job results controls**, note that no additional results controls are supported.

   1. Under **Query results controls**, for **Columns not allowed in output**, choose the columns you want to be allowed in the query output, based on your goal.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

   1. For **Additional analyses applied to output** choose whether additional analyses can be applied to the query output, based on your goal.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

   1. Choose **Next**.

1. (Optional) Under **Step 4: Set differential privacy**, determine whether you want differential privacy turned on or off. 

   Differential privacy is a mathematically-proven technique to protect your data from re-identification attacks. 
**Note**  
AWS Clean Rooms Differential Privacy is only available for collaborations where the data is stored in Amazon S3.

   For **Differential privacy**, choose whether to turn differential privacy on or off, based on your goal.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

1. Under **Step 5: Review and configure**, review the selections you’ve made for the previous steps, edit if necessary, and then choose **Configure analysis rule**.

You see a confirmation message that you’ve successfully configured a custom analysis rule for the table.

## Adding analysis rule to a table (JSON editor)
<a name="add-analysis-rule-console-json-editor"></a>

The following procedure shows how to add an analysis rule to a table using the **JSON editor** option in the AWS Clean Rooms console.

**Note**  
Configured tables using non-S3 data sources only support [custom analysis rules](#add-custom-analysis-rule-wizard).

**To add an aggregation, list, or custom analysis rule to a table (JSON editor)**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. Choose the configured table.

1. On the configured table detail page, choose **Configure analysis rule**.

1. Under **Step 1: Choose analysis rule type**, under **Analysis rule type**, choose either the **Aggregation**, **List**, or **Custom** option.

1. Under **Creation method**, select **JSON editor**, and then choose **Next**. 

1. Under **Step 2: Specify controls**, you can choose to insert a query structure (**Insert template**) or insert a file (**Import from file**).    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-analysis-rule.html)

1. Choose **Next**.

1. Under **Step 3: Review and configure**, review the selections you’ve made for the previous steps, edit if necessary, and then choose **Configure analysis rule**.

You receive a confirmation message that you’ve successfully configured an analysis rule for the table.

## Next steps
<a name="add-analysis-rule-next-step"></a>

Now that you configured an analysis rule to your configured table, you are ready to: 
+ [Associate a configured table to a collaboration](associate-configured-table.md)
+ [Query the data tables](running-sql-queries.md) (as a member who can query)

# Associating a configured table to a collaboration
<a name="associate-configured-table"></a>

After you have created a configured table and added an analysis rule to it, you can associate it to a collaboration and give AWS Clean Rooms a service role to access your AWS Glue tables. 

**Note**  
This service role has permissions to the tables. The service role is assumable only by AWS Clean Rooms to run allowed queries on behalf of the member who can query. No collaboration members (other than the data owner) have access to the underlying tables in the collaboration. The data owner can turn on differential privacy to make their tables available for querying by other members.

## Data access budget
<a name="data-access-budget"></a>

When you associate a configured table, you can apply a data access budget. A *data access budget* controls how many times a table can be used for queries, jobs, and ML input channels in a collaboration. These budgets help organizations manage resource utilization and control costs by limiting table use.

Each time a table is used in a query, job, or ML input channel, the budget for that table is reduced by one. When the budget reaches zero, the table can't be used in SQL queries, Pyspark jobs, nor as part of ML input channels derived from the table.

You can establish a per period budget that refreshes periodically, a lifetime budget for overall usage, or both. By default, table usage is unlimited.
+ Per period budget – A renewable allocation that limits the amount of times this table can be used within a specified time period. You can set the period to daily, weekly, or monthly. This budget can be set to automatically refresh on a daily, weekly, or monthly basis.
+ Lifetime budget – A running allocation that limits the total amount of times this table can be used.

## Associate a configured table
<a name="associate-table-config-table-details"></a>

The following topics describe how to associate a configured table and apply a data access budget to a collaboration using the AWS Clean Rooms console.

For information about how to associate your configured tables to the collaboration using the AWS SDKs, see the [https://docs.aws.amazon.com/clean-rooms/latest/apireference/Welcome.html](https://docs.aws.amazon.com/clean-rooms/latest/apireference/Welcome.html).

### Step 1: Complete the prerequisites
<a name="associate-config-table-prereq"></a>

To associate a configured table, you must complete the following prerequisites:
+ An AWS Glue table that points to an Amazon S3 folder location (not a single file)
+ For encrypted AWS Glue tables:
  + A service role with permissions to use AWS KMS keys for decrypting AWS Glue tables
  + For AWS KMS-encrypted Amazon S3 datasets: The service role must also have permissions to use the AWS KMS key to decrypt Amazon S3 data

For information about configuring encryption, see [Setting up encryption in AWS Glue](https://docs.aws.amazon.com/glue/latest/dg/set-up-encryption.html) in the *AWS Glue Developer Guide*.

To verify your AWS Glue table location:

1. Open the AWS Glue console at [https://console.aws.amazon.com/glue/](https://console.aws.amazon.com/glue/)

1. View your table details and confirm the location points to an S3 folder

### Step 2: Associate a configured table
<a name="associate-config-table"></a>

**To associate a configured table**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. Choose the method to associate your table:

   1. From the configured table detail page:

      1. In the left navigation pane, choose **Tables**.

      1. Choose the configured table.

      1. On the configured table detail page, choose **Associate to collaboration**.

      1. For the **Associate table to collaboration** dialog box, choose the **Collaboration** from the dropdown list.

   1. From the collaboration detail page:

      1. In the left navigation pane, choose **Collaborations**.

      1. Choose the collaboration.

      1. On the **Tables** tab, choose **Associate table**.

1. On the **Associate table** page, do one of the following:
   + Choose an existing configured table – Choose the **Configured table name** that you want to associate with the collaboration from the dropdown list.
   + Configure a new table – Choose **Configure new table** and follow the prompts on the **Configure new table** page.
   + View the schema and analysis rule for the configured table – Turn on **View schema and analysis rule**.

1. For **Table association details**, 

   1. Enter a **Name** for the associated table.

      You can use the default name or rename this table.

   1. (Optional) Enter a **Description** of the table. 

      The description helps with writing queries.

1. Specify the **Service access** permissions by selecting either **Create and use a new service role** or **Use an existing service role**.
**Note**  
If you are associating a configured table backed by Amazon Athena, choose an **Existing service role name** from the dropdown list. Ensure the service role has IAM and, if needed, Lake Formation permissions to the dataset.     
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/associate-configured-table.html)
**Note**  
AWS Clean Rooms requires permissions to query according to the analysis rules. For more information about permissions for AWS Clean Rooms, see [AWS managed policies for AWS Clean Rooms](security-iam-awsmanpol.md).
If the role doesn’t have sufficient permissions for AWS Clean Rooms, you receive an error message stating that the role doesn't have sufficient permissions for AWS Clean Rooms. The role policy must be added before proceeding.
If you can’t modify the role policy, you receive an error message stating that AWS Clean Rooms couldn't find the policy for the service role.

1. If you want to enable **Configured table association tags** for the configured table association resource, choose **Add new tag** and then enter the **Key** and **Value** pair. 

1. Choose **Next**.

1. On the **Configure collaboration analysis rule** page, choose one of the following:
   + **Yes, create a collaboration analysis rule now** – Associates your table with this collaboration and creates a collaboration analysis rule
   + **No, I will create a collaboration analysis rule later** – Associates your table with this collaboration only. You can create a collaboration analysis rule later.

1. If you choose **Yes, create a collaboration analysis rule now**, for **Results delivery**, choose the **Members allowed to receive results for query output** from the dropdown list.

1. Choose **Next**.

1. On the **Add data access budget** page, for **Data access budget configuration**, choose one of the following:
   + **Yes, add a data access budget now** – Associates your table with this collaboration and adds a data access budget. You can select either a period budget, a lifetime budget, or both.
   + **No, I will add a data access budget later** – Associates your table with this collaboration only. You can add a data access budget later.

     If you select **No, I will add a data access budget later**, skip to step 15.

1. If you choose **Yes, add a data access budget now**, choose one of the following budget configurations:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/associate-configured-table.html)

1. Review your selections under **Data access budget summary**.  
**Example**  

   For example, if you've chosen a **Per period budget amount** of 1,000, set the **Period** to **Weekly**, left the **Automatically refresh budget weekly** checkbox selected, and set the **Lifetime budget** to 1,000,000, then the **Access budget summary** will display the following message: Every week, this table can be used up to 1,000 times for running queries or jobs. This budget is set to automatically refresh every Sunday at 00:00 UTC, and will continue to refresh until this table has reached its lifetime budget of 1,000,000 uses.

1. (Optional) If you want to enable **Data access budget tags** for the access budget resource, choose **Add new tag** and enter a Key and Value pair.

1. Choose **Next**.

1. Review the information on the **Review and create** page.

   1. If you need to edit any sections, choose **Edit**.

   1. Edit your configurations, and then choose **Next**.

1. Choose **Associate table**. 

### Step 3: Next steps
<a name="associate-table-next-steps"></a>

Now that you associated your configured data table to the collaboration, you are ready to: 
+ [Add a collaboration analysis rule](add-collaboration-analysis-rule.md) to the configured table
+ [Edit the collaboration](edit-collaboration.md), if you're the collaboration creator
+ [Query the data tables](running-sql-queries.md) (as a member who can query)

# Configuring a data access budget
<a name="configure-data-access-budget"></a>

A collaborator can view, add, edit, and delete a *data acccess budget* to set a limit on the number of times a table can be used in a workflow. Use these budgets to manage data and costs.

Each time a table is queried or a job is run using a ML input channel derived from a table, the budget for that table is reduced by one. When the budget reaches zero, the table can't be queried and ML jobs can't be run using ML input channels derived from the table.

You can establish a per period budget that refreshes periodically, a lifetime budget for overall usage, or both. By default, table usage is unlimited.
+ Per period budget – A renewable allocation that limits the amount of times this table can be used within a specified time period. You can set the period to daily, weekly, or monthly. This budget can be set to automatically refresh on a daily, weekly, or monthly basis.
+ Lifetime budget – A running allocation that limits the total amount of times this table can be used.

**Topics**
+ [Viewing a data access budget](view-access-budget.md)
+ [Adding a data access budget to an existing associated table](add-access-budget-to-existing-associated-table.md)
+ [Editing a data access budget](edit-access-budget.md)
+ [Deleting a data access budget](delete-access-budget.md)

# Viewing a data access budget
<a name="view-access-budget"></a>

You can view a data access budget from the **Tables** tab or from the table details page.

**To view a data access budget**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose the **Tables** tab.

1. Do one of the following: 
   + Under the **Remaining data access budget** column, select the budget to view the details.
   + Choose a table, and on the table details page, scroll down to view the **Data access budget details** section.

# Adding a data access budget to an existing associated table
<a name="add-access-budget-to-existing-associated-table"></a>

As a collaboration member, you can add a data access budget to an existing associated table.

**To add a data access budget to an existing associated table**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose the **Tables** tab.

1. Select the option button next to the table you want to add a data access budget to.

1. From the **Actions** dropdown list, under **Data access budget**, select **Add** (if there isn't already a budget).

1. Choose one of the following budget configurations:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-access-budget-to-existing-associated-table.html)

1. Review your selections under **Data access budget summary**.

1.   
**Example**  

   For example, if you've chosen a **Per period budget amount** of 1,000, set the **Period** to **Weekly**, left the **Automatically refresh budget weekly** checkbox selected, and set the **Lifetime budget** to 1,000,000, then the **Access budget summary** will display the following message: Every week, this table can be used up to 1,000 times for running queries or jobs. This budget is set to automatically refresh every Sunday at 00:00 UTC, and will continue to refresh until this table has reached its lifetime budget of 1,000,000 uses.

1. (Optional) If you want to enable **Data access budget tags** for the access budget resource, choose **Add new tag** and enter a Key and Value pair.

1. Choose **Add data access budget**.

# Editing a data access budget
<a name="edit-access-budget"></a>

As a collaboration member, you can edit the data access budget. When you edit a data access budget, it resets the current budget balance.

You can edit a data access budget from the **Tables** tab or from the table details page.

------
#### [ Tables tab ]

**To edit a data access budget from the **Tables** tab**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose the **Tables** tab.

1. Select the option button next to the table you want to edit.

1. From the **Actions** dropdown list, under **Data access budget**, select **Edit**.

1. On the **Edit data access budget** page, update the **Per period budget** or **Lifetime budget** information.

1. View the **Data access budget summary** to verify that the edits you've made are correct.

1. Choose **Save changes**.

------
#### [ Table details page ]

**To edit a data access budget from the table details page**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose the **Tables** tab.

1. Choose a table.

1. On the table details page, scroll down to the **Data access budget details** section.

1. From the **Actions** dropdown list, choose **Edit**.

1. On the **Edit data access budget** page, update the **Per period budget** or **Lifetime budget** information.

1. Choose **Save changes**.

------

# Deleting a data access budget
<a name="delete-access-budget"></a>

You can delete a data access budget from the **Tables** tab or from the table details page.

------
#### [ Tables tab ]

**To delete a data access budget from the **Tables** tab**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose the **Tables** tab.

1. Select the option button next to the table you want to delete.

1. From the **Actions** dropdown list, under **Data access budget**, select **Delete**.
**Important**  
You can't undo this action and your data access budget will be reset to unlimited.

1. If you're certain that you want to delete the data access budget, choose **Delete**.

------
#### [ Table details page ]

**To delete a data access budget from the table details page**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose the **Tables** tab.

1. Choose a table.

1. On the table details page, scroll down to the **Data access budget details** section.

1. From the **Actions** dropdown list, choose **Delete**.
**Important**  
You can't undo this action and your data access budget will be reset to unlimited.

1. If you're certain that you want to delete the data access budget, choose **Delete**.

------

# Adding a collaboration analysis rule to a configured table
<a name="add-collaboration-analysis-rule"></a>

The *collaboration analysis rule* allows you to specify controls that are specific to this collaboration. These controls work together with the configured table analysis rule to determine how this table can be analyzed within this collaboration.

You add a collaboration analysis rule to a configured table after you've [created a configured table](create-configured-table.md), [added an analysis rule](add-analysis-rule.md), and [associated it to a collaboration](associate-configured-table.md). You need to add a collaboration analysis rule if the table is configured to support direct analysis or to allow additional analysis.
+ **Direct analysis** – The table can be used in queries that analyze it directly. For example, in a query that outputs an aggregate measurement analysis or a list of identifiers for activation.
+ **Additional analysis** – The table can also be used as input into additional analyses, in addition to queries that analyze it directly. For example, the table can be used in a query that is a seed for a lookalike ML model, or an ML input channel for a custom ML model.

**To add the collaboration analysis rule to a table**

1. Sign in to the AWS Management Console and open the [AWS Clean Rooms console](https://console.aws.amazon.com/cleanrooms/home) with your AWS account (if you haven't yet done so).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. On the **Tables** tab, under **Tables associated by you**, view the configured table you've associated to the collaboration. 
   + If **Direct analysis status** or **Additional analysis status** has a status of **Ready**, then the table is ready to be queried.
   + If **Direct analysis status** or **Additional analysis status** has a status of **Not ready**, then select the status, and then choose **Configure** in the dialog box.

1. On the **Configure collaboration analysis rule** page, expand **View configured table analysis rule** to view the details.

1. For **Allowed additional analyses**, choose the option based on your goal.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/add-collaboration-analysis-rule.html)

1. For **Results delivery**, specify who can receive results from the **Members allowed to receive results for query output** dropdown.

1. Choose **Configure analysis rule**.

# Configuring differential privacy policy (optional)
<a name="configure-differential-privacy"></a>

**Note**  
AWS Clean Rooms Differential Privacy is only available for collaborations where the data is stored in Amazon S3.

This procedure describes the process of configuring the differential privacy policy in a collaboration by using the **Guided flow** option in the AWS Clean Rooms console. This is a one-time step for all tables with differential privacy protection.

**To configure differential privacy settings (guided flow)**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. On the **Tables** tab of the collaboration page, choose **Configure differential privacy policy**.

1. On the **Configure differential privacy policy** page, choose values for the following properties:
   + **Privacy budget**
   + **Refresh privacy budget monthly**
   + **Noise added per query**

   You can use the default values or enter custom values that support your specific use case. After choosing values for **Privacy budget** and **Noise added per query**, you can preview the resulting utility in terms of the number of aggregations that are possible across all queries on your data.

1. Choose **Configure**.

You’ll see a confirmation message that you’ve successfully configured the differential privacy policy for the collaboration.

Now that you configured differential privacy, you are ready to: 
+ [Query the data tables](running-sql-queries.md) (as a member who can query)
+ [Collaborations](working-with-collaborations.md) (if you're the collaboration creator)

## Viewing differential privacy usage logs
<a name="view-usage-logs"></a>

As a collaboration member who is protecting data with differential privacy, after you have created a collaboration with differential privacy, you can monitor the usage of the privacy budget.

**To view how many aggregations were run and how much of the privacy budget was used**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose the **Tables** tab.

1. Choose **View usage logs** (blue text).

1. View the usage details, including the privacy budget and how much utility was provided.

## Editing a differential privacy policy
<a name="edit-dp-policy"></a>

At any time after configuring the differential privacy policy, you can update it to better reflect your privacy needs. 

**To edit the differential privacy policy**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. On the **Tables** tab of the collaboration page, under **Tables associated by you**, choose **Edit**.

1. On the **Edit differential privacy** page, choose new values for the following properties:
   + **Privacy budget** – Move the slider bar to either increase or decrease the budget at any point during a collaboration. You can't decrease the budget after the member who can query has started querying your data. If the **Privacy budget** is increased, AWS Clean Rooms will continue using the existing budget until it is fully consumed before utilizing the newly added privacy budget.
   + **Noise added per query **– Move the slider bar to either increase or decrease the **Noise added per query** at any point during a collaboration.
**Note**  
You can chose **Interactive examples** to explore how different values of **Privacy budget** and **Noise added per query** affect the number of aggregate functions that you can run.

   You can't change the value of the **Privacy budget refresh**. To change your selection, you must delete the differential privacy policy and create a new one.

1. Choose **Save changes**.

You see a confirmation message that you’ve successfully edited the differential privacy policy.

## Deleting a differential privacy policy
<a name="dp-delete-policy"></a>

You can delete the differential privacy policy from the **Tables** tab of a collaboration.

**To delete the differential privacy policy**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. On the **Tables** tab of the collaboration page, next to **Differential privacy policy**, select **Delete**.

1. If you’re certain that you want to delete the differential privacy policy, choose **Delete**.

After deleting a differential privacy policy, you can't access the privacy budget usage logs from that policy. Tables with differential privacy turned on can't be queried if the differential privacy policy is deleted.

## Viewing the calculated differential privacy parameters
<a name="dp-view-parameters"></a>

For users with expertise in differential privacy, you can view the calculated differential privacy parameters from the **Analysis** tab of a collaboration.

**To view the calculated differential privacy parameters**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. On the **Analysis** tab, in the **Results** section, select **View calculated differential privacy parameters**.

In the **Calculated differential privacy parameters** table, you can see sensitivity values of aggregate functions, which is defined as the maximum amount by which the result of a function can change if a single user's records are added, removed, or modified. The list includes the following differential privacy parameters:
+ **User contribution limit** (UCL) is the maximum number of rows contributed by a user in a SQL query. For example, if you want to count the total number of matched impressions in a specified campaign where each user can have multiple impressions, AWS Clean Rooms Differential Privacy needs to bound the number of impressions of a single user in order to ensure that the differential privacy calculation is accurate. In other words, if any user has more impressions than the bound, then AWS Clean Rooms automatically takes a uniform random sample of that user's impressions as per the computed UCL value and exclude the remaining impressions of that user while executing the query. The UCL value equals to 1 if you are counting the number of unique users. This is because adding, removing, or modifying a single user can change the count of distinct users by at most 1.
+ **Minimum value** is the lower bound of an expression used within an aggregate function such as `sum()`. For example, if the expression is a column known as `purchase_value`, minimum value is the lower bound of the column.
+ **Maximum value** is the upper bound of an expression used within an aggregate function such as `sum()`. For example, if the expression is a column known as `purchase_value`, maximum value is the upper bound of the column. 

In the **Calculated differential privacy parameters** table, you can use these parameters to better understand the total amount of noise in query results. For example, when the configured **Noise added per query** is 30 users and a `COUNT DISTINCT (user_id)` query is run, then AWS Clean Rooms Differential Privacy adds random noise that falls between -30 and 30 with high probability because the sensitivity of `COUNT DISTINCT` is 1. In the case of a `COUNT` query with the same configuration, AWS Clean Rooms Differential Privacy adds statistical noise that is scaled by the user contribution limit because a single user could contribute multiple rows to the query result. In the case of `SUM` query like `SUM (purchase_value)` where all the column values are positive, the total noise is scaled by the user contribution limit times the maximum value. AWS Clean Rooms Differential Privacy automatically computes the sensitivity parameters to perform noise addition at query run-time and depletes the privacy budget. The depletion of privacy budget is required because the sensitivity parameters are data-dependent.

# Viewing tables and analysis rules
<a name="view-tables"></a>

**To view tables associated with the collaboration and the analysis rules**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose the **Tables** tab.

1. Choose one of the following:

   1. To view your tables associated in the collaboration, for **Tables associated by you**, choose a table (blue text).

   1. To view other tables associated in the collaboration, for **Tables associated by collaborators**, choose a table (blue text).

1. View the table details and analysis rules on the table details page.

# Editing a configured table
<a name="edit-configured-table"></a>

Prerequisites: 
+ An AWS account with access to AWS Clean Rooms

 The following sections explain how to edit the name, description, and configuration details of tables for Amazon S3, Amazon Athena, and Snowflake data sources.

For information about how to edit a configured table using the AWS SDKs, see the [https://docs.aws.amazon.com/clean-rooms/latest/apireference/Welcome.html](https://docs.aws.amazon.com/clean-rooms/latest/apireference/Welcome.html).

**To edit a configured table**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. Choose the configured table that you created.

1. On the configured table detail page, choose **Edit**.

1. Edit your configuration.

1. Choose **Save changes**.

# Editing configured table tags
<a name="edit-config-table-tags"></a>

As a collaboration member, after you have created a configured table, you can manage the tags on the configured table resource on the **Configured tables** tab.

**To edit the configured table tags**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. Choose the configured table that you created.

1. On the configured table detail page, scroll down to the **Tags** section.

1. Choose **Manage tags**.

1. On the **Manage tags** page, you can do the following:
   + To remove a tag, choose **Remove**.
   + To add a tag, choose **Add new tag**.
   + To save your changes, choose **Save changes**.

# Editing the configured table analysis rule
<a name="edit-config-table-analysis-rule"></a>

**To edit the configured table analysis rule**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. Choose the configured table that you created.

1. On the configured table detail page, scroll down to either the **Aggregation analysis rule**, **List analysis rule**, or the **Custom analysis rule ** section. (Your choice depends on which type of analysis rule you chose for the configured table.)

1. Choose **Edit**.

1. On the **Edit analysis rule ** page, you can:
   + Modify the **Analysis rule definition** by:
     + Modifying the JSON editor.
     + Choosing **Import from file** to upload a new analysis rule definition. 
   + Preview what members will see in a collaboration by selecting from the following options:
     + **Table view**
     + **JSON**
     + **Example query**

1. Choose **Save changes** to save your changes.

# Deleting the configured table analysis rule
<a name="delete-config-table-analysis-rule"></a>

**Warning**  
This action can’t be undone and impacts all related resources.

**To delete the configured table analysis rule**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Tables**.

1. Choose the configured table that you created.

1. On the configured table detail page, scroll down to either the **Aggregation analysis rule**, **List analysis rule**, or the **Custom analysis rule** section. (Your choice depends on which type of analysis rule you chose for the configured table.)

1. Choose **Delete**.

1. If you’re certain that you want to delete the analysis rule, choose **Delete**.

# Configured table disallowed columns
<a name="disallowed-columns"></a>

The disallowed output columns configuration is a control in the AWS Clean Rooms custom analysis rule that enables you to define the list of columns (if any) that you don’t allow to be projected in the query result. The columns referenced in this list are considered “disallowed output columns”. This means that any reference to such column through transformation, aliasing, or other means may not be present in the final SELECT (projection) of the query.

While the capability prohibits columns from being directly projected in the output, it doesn't fully prevent underlying values from being indirectly inferred through other mechanisms. These columns can still be used in a projection clause (such as in a subquery or a Common Table Expression (CTE)), as long as they aren't referenced in the very final projection.

The disallowed output columns configuration gives you the flexibility to apply and codify control on your table in combination with analysis template level reviews based on use cases and corresponding privacy requirements.

For more information on how to set this configuration, see [Adding a custom analysis rule to a table (guided flow)](add-analysis-rule.md#add-custom-analysis-rule-wizard).

**Disallowed output columns query constraint and CACHE TABLE**  
The [disallowed output columns constraint](https://docs.aws.amazon.com/clean-rooms/latest/userguide/disallowed-columns.html) in the custom analysis rule is enforced on cached tables. A cached table cannot reference a disallowed output column in its SELECT clause. To use a column with a disallowed output column constraint in a subsequent part of your query, convert the cached table to a common table expression (CTE).

**Examples**

The following examples display how the disallowed output columns control is applied. 
+ Member A is in a collaboration with Member B. 
+ Member B is member who can run queries.
+ Member A defines a table *users* with the columns *age*, *gender*, *email*, and *name*. The columns *age* and *name* are disallowed output columns.
+ Member B defines a table *pets* with a similar set of columns *age*, *gender*, and *owner\$1name*. However, they don't set any constraints on the output columns, meaning that all columns in the table can be projected freely in the query.



If Member B runs the following query, it's blocked because disallowed output columns can't be directly projected:

```
SELECT 
  age 
FROM 
  users
```

If Member B runs the following query, it's blocked because disallowed output columns can't be implicitly projected via project star:

```
SELECT 
  * 
FROM 
  users
```

If Member B runs the following query, it's blocked because transformations of disallowed output columns can't be projected:

```
SELECT 
  COUNT(age) 
FROM 
  users
```

If Member B runs the following query, it's blocked because disallowed output columns can't be referenced in final projection using an alias:

```
SELECT 
  count_age
FROM 
  (SELECT COUNT(age) AS count_age FROM users)
```

If Member B runs the following query, it's blocked because transformed restricted columns are projected in output:

```
SELECT 
  CONCAT(name, email) 
FROM 
  users
```

If Member B runs the following query, it's blocked because disallowed output columns defined in CTE can't be referenced in the final projection:

```
WITH cte AS (
  SELECT 
    age AS age_alias 
  FROM 
    users
)
SELECT age_alias FROM cte
```

If Member B runs the following query, it's blocked because disallowed output columns can't be used as sort or partition keys in the final projection:

```
SELECT 
  LISTAGG(gender) WITHIN GROUP (ORDER BY age) OVER (PARTITION BY age) 
FROM 
  users
```

If Member B runs the following query, it succeeds because columns that are part of the disallowed output columns can still be used across other constructs in the query, such as in join or filter clauses.

```
SELECT
  u.name, 
  p.gender, 
  p.age
FROM 
  users AS u
JOIN 
  pets AS p
ON 
  u.name = p.owner_name
```

In the same scenario, Member B can also use the *name* column in *users* as a filter or sort key:

```
SELECT 
  u.email,
  u.gender
FROM 
  users AS u
WHERE 
  u.name = 'Mike'
ORDER BY
  u.name
```

Additionally, the disallowed output columns from *users* can be used in intermediate projections such as subqueries and CTEs, such as:

```
WTIH cte AS (
 SELECT 
   u.gender, 
   u.id,
   u.first_name
 FROM
   users AS u
)
SELECT 
  first_name 
FROM
  (SELECT cte.gender, cte.id, cte.first_name FROM cte)
```

# Editing configured table associations
<a name="edit-config-table-assoc"></a>

As a collaboration member, you can edit the configured table associations that you have created.

**To edit configured table associations**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose **Tables** tab.

1. For **Tables associated by you**, choose a table.

1. On the table details page, scroll down to view the **Table association details**.

1. Choose **Edit**.

1. On the **Edit configured table associations** page, update the **Description** or the **Service access information**.

1. Choose **Save changes**.

# Disassociating configured tables
<a name="disassociate-config-table"></a>

As a collaboration member, you can disassociate a configured table from the collaboration. This action prevents the member who can query from querying the table.

**To disassociate a configured table**

1. Sign in to the AWS Management Console and open the AWS Clean Rooms console at [https://console.aws.amazon.com/cleanrooms](https://console.aws.amazon.com/cleanrooms/home).

1. In the left navigation pane, choose **Collaborations**.

1. Choose the collaboration.

1. Choose **Tables** tab.

1. For **Tables associated by you**, select the option button next to the table that you want to disassociate.

1. Choose **Disassociate**.

1. In the dialog box, confirm the decision to disassociate the configured table and prevent the member who can query from querying the table by choosing **Disassociate**.