By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why can IAM users use Athena to access my Data Catalog resources even after I restricted their permissions in Lake Formation?

3 minute read
0

I restricted permissions for an AWS Identity and Access Management (IAM) user in AWS Lake Formation. However, the IAM user can still access Amazon Athena to query a table.

Short description

To restrict IAM user access, update the default security settings of the new and existing Data Catalog resources to use the Lake Formation permissions model.

To learn more about Lake Formation default permissions, see Upgrading AWS Glue data permissions to the AWS Lake Formation model.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Update the default security settings for a new Data Catalog resource

For a new Data Catalog resource in your data lake, see Changing the default settings for your data lake. Updates to the default security settings apply only to new resources.

To update the security settings only for specific new resources, create the resource. Then, update the permissions only on the resource. For more information, see Granting permissions on Data Catalog resources.

Update the security settings for an existing Data Catalog resource

To remove the IAMAllowedPrincipals permissions from an existing database, complete the following steps:

  1. Open the AWS Lake Formation console.
  2. In the navigation pane, under Data catalog, choose Databases.
  3. Select the circle next to the database that you want to update.
  4. Choose Actions, and then choose Edit.
  5. Under Default permissions for newly created tables, clear Use only IAM access control for new tables in this database.
  6. Choose Save.
  7. On the Databases page, verify that the database is selected. Choose Actions, and then choose Revoke.
  8. In the Revoke permissions dialog box, in the IAM users and roles list, for Group, choose IAMAllowedPrincipals.
  9. Under Database permissions, verify that Super is selected, and then choose Revoke.

To remove the IAMAllowedPrincipals permissions on an existing table, complete the following steps:

  1. Open the AWS Lake Formation console.
  2. In the navigation pane, choose Tables.
  3. On the Tables page, select the circle next to the table that you want to update.
  4. Choose Actions, and then choose Revoke.
  5. In the Revoke permissions dialog box, in the IAM users and roles list, for Group, choose IAMAllowedPrincipals.
  6. Under Table permissions, verify that Super is selected, and then choose Revoke.

Note: Be sure that the Amazon Simple Storage Service (Amazon S3) path to the database or table is registered with Lake Formation.

After you change the security settings for an existing resource, use the AWS CLI or Lake Formation console to grant table permissions to the IAM user.

To perform Lake Formation operations, a user must have Lake Formation and IAM permissions. To query a table from Athena when Lake Formation manages permissions, the user must have the following IAM permissions:

{  
    "Version": "2012-10-17",  
    "Statement": [  
        {  
            "Sid": "minimumAWSGlueLakeFormationAthenapermissiontorunselectqueryontable",  
            "Effect": "Allow",  
            "Action": [  
                "lakeformation:GetDataAccess",  
                "glue:SearchTables",  
                "glue:GetTables",  
                "glue:GetPartitions",  
                "glue:GetDatabases",  
                "glue:GetTable",  
                "glue:GetDatabase",  
                "athena:GetNamespace",  
                "athena:ListWorkGroups",  
                "athena:GetCatalogs",  
                "athena:GetNamespaces",  
                "athena:GetExecutionEngine",  
                "athena:GetExecutionEngines",  
                "athena:GetTables",  
                "athena:GetTable"  
            ],  
            "Resource": "*"  
        },  
        {  
            "Sid": "AthenaPermissionToRunQueryInAWorkergroup",  
            "Effect": "Allow",  
            "Action": [  
                "athena:StartQueryExecution",  
                "athena:GetQueryResults",  
                "athena:DeleteNamedQuery",  
                "athena:GetNamedQuery",  
                "athena:ListQueryExecutions",  
                "athena:StopQueryExecution",  
                "athena:GetQueryResultsStream",  
                "athena:ListNamedQueries",  
                "athena:CreateNamedQuery",  
                "athena:GetQueryExecution",  
                "athena:BatchGetNamedQuery",  
                "athena:BatchGetQueryExecution"  
            ],  
            "Resource": [  
                "arn:aws:athena:*:*:workgroup/*"  
            ]  
        },  
        {  
            "Sid": "allowS3PermissionToSaveAthenaQueryResults",  
            "Effect": "Allow",  
            "Action": [  
                "s3:PutObject",  
                "s3:GetObject",  
                "s3:ListBucketMultipartUploads",  
                "s3:AbortMultipartUpload",  
                "s3:CreateBucket",  
                "s3:ListBucket",  
                "s3:GetBucketLocation",  
                "s3:ListMultipartUploadParts"  
            ],  
            "Resource": [  
                "arn:aws:s3:::aws-athena-query-results-*"  
            ]  
        }  
    ]  
}
Topics
Analytics
Tags
AWS GlueAWS Lake Formation
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago
No comments

Relevant content