Cross account access from Athena to S3

Question

Hi,

I have a customer who has an S3 bucket in one account and wants to run Athena queries from a different account on data stored in the bucket.  They don't want to provide root account level access to that bucket. Is there is an easier way to have granular cross account permissions implemented, other then bucket policies?

Could S3 Access Points be an option?

Thanks

Accepted Answer

With Lake formation, it is super easy to granting/manage centralize access to various AWS services which include Athena, RS-S, EMR, etc.

In order to build cross account Data Lake -

1. Grant access to your cross account bucket by following below doc

https://docs.aws.amazon.com/lake-formation/latest/dg/register-cross-account.html

2. Register your bucket in Lake formation
3. Create database 
4. Grant access to registered bucket and database
5. Crawl you registered bucket 
6. Start granting access to different Personas

https://docs.aws.amazon.com/lake-formation/latest/dg/permissions-reference.html

You can follow below doc to learn how to build it.

https://aws.amazon.com/blogs/big-data/access-and-manage-data-from-multiple-accounts-from-a-central-aws-lake-formation-account/

Cross account access from Athena to S3

相关内容