Why do I get the AmazonS3Exception "Access Denied with Status Code: 403" in Amazon Athena when I query a bucket in another account?

Short description

This error commonly occurs when you try to query logs written by another AWS service, such as AWS CloudTrail, Amazon CloudFront, and Amazon Virtual Private Cloud (Amazon VPC). These services log events to Amazon S3. The bucket owner has full access to the S3 objects. The second account doesn't own the bucket or the objects. That's why the second account gets an access denied error when querying an Athena table that references these S3 objects.

Resolution

It's not possible to transfer ownership of Amazon S3 objects. Instead, use one of the following options:

• In the Athena account, assume an AWS Identity and Access Management (IAM) role that has access to both the bucket and the objects. For more information, see Tutorial: Delegate access across AWS Accounts using IAM roles.
• Follow the instructions at How can I copy S3 objects from another AWS account? to copy the objects to a bucket in the Athena account. Then, delete any redundant or unnecessary objects from the destination bucket to avoid unnecessary charges.

Related information

Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

How do I transfer the ownership of Amazon S3 objects to a different AWS account?

Why do I get the "Access Denied" error when I run a query in Amazon Athena?