- Más nuevo
- Más votos
- Más comentarios
Hello,
You can achieve your use case by restricting the user's "Get and Put" Object permissions for that particular S3 location (query result location) and then to still run queries and to view results via Athena, you can consider using AWS global condition context keys such as "aws:CalledViaLast".
{ "Sid": "BlockAthenaDownloads", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::athenaquery_result_loction/prefix/*", "Condition": { "StringNotEquals": { "aws:calledViaLast": [ "athena.amazonaws.com" ] } } }
Please refer to the documentation below to learn more about AWS global condition context keys:
[+] AWS global condition context keys - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-calledvia
Further, to create policy via terraform please refer to the below link:
[+] https://registry.terraform.io/providers/-/aws/latest/docs/resources/iam_role_policy_attachment
Thank you!
Contenido relevante
- preguntada hace 2 meses
- preguntada hace un mes
- preguntada hace un mes
- preguntada hace 7 días
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 4 años
- OFICIAL DE AWSActualizada hace 4 años
Thank you! It worked...