Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Restrict s3 access but provide athena access via lake formation

0

Hi All, Relatively new to the AWS world. I have a requirement where i have some sensitive files in s3 that i want users to only have read access (no download, no s3 query select). On the other end I have created tables in glue catalog on these files and governing them purely from lake formation.

In s3 I initially provided "list" and "get" policies and then using lake formation data filters/LF-Tags I excluded the sensitive columns and gave the users read access on the table and it worked out great when they were querying from Athena. But the "get" policy allows the user to use s3 select to view the data and they were also able to download the file. If i revoke the "get" policy, then Athena is giving the error for not being able to get the file from s3. I am sure i am missing something here in the configuration and want to get some advice on how to achieve this use case.

Thankyou

Topics
AnalyticsStorage
Tags
AWS Lake FormationAmazon AthenaS3 Select
Language
English
asked 2 years ago681 views
1 Answer
0

Hi,

In what you describe, you have 2 security principals: 1) the human user and 2) the Glue Service.

So, you can create 2 different roles with 2 different policies: 1 for the user with no access to S3 and 1 for Athena (that you seem to have already: it's the execution role of the service) with restricted access to the data chunks that it needs (you seem to have done that properly).

If you don't want the user to need to assume his role (which is best practice though), you can grant him directly the authorizations that he needs (i.e. excluding S3 get in you case)

Best,

Didier

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content