In an enterprise account, and wanted to give someone access to query the Cloudtrail logs that are in the Log Archive account Control Tower created. But when I go in with the permission set AWSReadOnlyAccess I get errors bringing up Athena and can't see the tables that were created in there. It all seems like it should be read-only stuff; is that just a miss on AWS's part? Not very useful if the first thing I tried that set of permissions with doesn't work.
User: arn:aws:sts::....:assumed-role/AWSReservedSSO_AWSReadOnlyAccess_.../... is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:us-east-1:...:workgroup/primary because no identity-based policy allows the athena:GetQueryExecution action This query ran against the "" database, unless qualified by the query.