Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to block access to Boto3 client from accessing Athena workgroup

0

I need to block Boto3 client to access Athena workgroup while allowing Tableau. Both use JDBC driver. Is there any port/IAM policy to achieve this? Both Tableau and Boto3 client are accessing from outside my VPC and account.

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAWS Network FirewallSecurity, Identity, & ComplianceAmazon Athena
Language
English
asked 2 years ago1.8K views
2 Answers
1

Hi,

I don't think that blocking access via agent name is a safe practice: remember that AWS SDKs like boto3 are open source. So, anybody can modify the agent name by changing the source code correspondingly.

The only valid way is via regular IAM credentials: the boto3 client and Parquet must have different credentials so that they are distinctly authenticated. Then, you can safely authorize Parquet while forbidding boto3.

Best,

Didier

EXPERT
answered 2 years ago
AWS
EXPERT
reviewed 2 years ago
0

Hello.

When you make a request with boto3, the boto3 user agent will be recorded as shown below.

"userAgent": "Boto3/1.34.105 md/Botocore#1.34.105 ua/2.0 os/linux#6.1.96-102.177.amzn2023.x86_64 md/arch#x86_64 lang/python#3.9.16 md/pyimpl#CPython exec-env/CloudShell cfg/retry-mode#legacy Botocore/1.34.105",

So, if you use "aws:UserAgent" in the IAM condition key, you may be able to deny access from boto3.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-useragent

I created and tested the following IAM policy.
The IAM policy below allows all operations on Athena, but only "GetWorkGroup" is denied when the user agent is boto3.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "athena:GetWorkGroup",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:UserAgent": "Boto3*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "athena:*",
            "Resource": "*"
        }
    ]
}

I was able to access the workgroup without any problems when accessing from the management console as shown below.
a

It was confirmed that when executing "get_work_group(WorkGroup='primary')" with boto3, the following error occurs.

Traceback (most recent call last):
  File "/home/cloudshell-user/test.py", line 5, in <module>
    response = client.get_work_group(WorkGroup='primary')
  File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 565, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 1021, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetWorkGroup operation: You are not authorized to perform: athena:GetWorkGroup on the resource. After your AWS administrator or you have updated your permissions, please try again.
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content