How do use IAM to restrict access to Athena resources?
I want to use AWS Identity and Access Management (IAM) to restrict access to Amazon Athena queries and resources.
Short description
You can use IAM policies and entities (user or role) to restrict or allow access to Athena resources, such as queries and AWS services.
Note: Make sure that you follow security best practices in IAM.
Resolution
Follow these guidelines to check or provide Athena permissions for your use case.
Access to Amazon S3 bucket locations
Athena queries must have access to the Amazon Simple Storage Service (Amazon S3) source data bucket and query result bucket locations.
Example IAM policy to provide access to S3 bucket locations:
{ "Sid": "BaseQueryResultsPermissions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:CreateBucket", "s3:PutObject", "s3:PutBucketPublicAccessBlock" ], "Resource": [ "arn:aws:s3:::Query-Result-Bucket-Name", "arn:aws:s3:::Query-Result-Bucket-Name/" ] }
Note: Replace Query-Result-Bucket-Name with your bucket name.
If your query doesn't have access to the S3 source and query result buckets, then you might receive an Access Denied error. For more information, see Why do I get the "Access Denied" error when I run a query in Amazon Athena?
Permissions to Amazon S3 buckets
Athena queries must also have permissions to the Amazon S3 buckets.
Example IAM policy to grant permissions to S3 buckets:
{ "Sid": "BaseAthenaExamplesPermissions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::Glue-Database-Warehouse-Location", "arn:aws:s3:::Glue-Database-Warehouse-Location/", "arn:aws:s3:::Glue-Table-Location", "arn:aws:s3:::Glue-Table-Location/" ] }, { "Sid": "BaseS3BucketPermissions", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": [ "" ] }
Note: Replace Glue-Database-Warehouse-Location and Glue-Table-Location with your variables.
If you use an AWS Key Management Service (AWS KMS) key to provide encryption, then see Supported Amazon S3 encryption options.
Access to Athena workgroups
You can use workgroups to control query access and costs. View examples of IAM policies that you can use to provide access to workgroups for your Athena queries.
Access to Glue Data Catalog database and table
You can use fine-grained access control to databases and tables in the AWS Glue Data Catalog.
Example policy to provide access to the Data Catalog table:
{ "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:DeleteTable", "glue:GetPartitions", "glue:GetPartition", "glue:DeletePartition", "glue:BatchCreatePartition" ], "Resource": [ "arn:aws:glue:us-east-1:123456789012:catalog", "arn:aws:glue:us-east-1:123456789012:database/example_db", "arn:aws:glue:us-east-1:123456789012:table/example_db/test" ] }, { "Effect": "Deny", "Action": "glue:*", "NotResource": [ "arn:aws:glue:us-east-1:123456789012:database/example_db", "arn:aws:glue:us-east-1:123456789012:table/example_db/test" ] }
Note: Replace example_db and example_db/test with your variables.
If your Data Catalog is encrypted, then you must add the following actions:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt", "kms:Encrypt" ], "Resource": "arn of the key used to encrypt the catalog" } }
For more information, see Examples of fine-grained permissions to tables and databases.
Related information
Relevant content
- asked 2 years ago
- Accepted Answerasked 6 years ago
- Accepted Answerasked 5 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
