AWS athena documentation change
Summary
Significantly restructured and expanded documentation for Athena federated connector permissions, adding detailed IAM policy examples for AWS Glue Data Catalog federated connectors (with and without Lambda) and Athena data catalog federated connectors, including specific actions and explanations.
Security assessment
This change adds comprehensive security documentation about required IAM permissions for Athena federated connectors, including specific policy examples and security best practices (noting to scope permissions in production). It does not address a specific security vulnerability but rather provides general security guidance for proper IAM configuration.
Diff
diff --git a/athena/latest/ug/connect-to-a-data-source-permissions.md b/athena/latest/ug/connect-to-a-data-source-permissions.md index 76556f8aa..492124d99 100644 --- a//athena/latest/ug/connect-to-a-data-source-permissions.md +++ b//athena/latest/ug/connect-to-a-data-source-permissions.md @@ -6,0 +7,2 @@ +AWS Glue Data Catalog federated connectors without Lambda permissionsAWS Glue Data Catalog federated connectors with Lambda permissionsAthena data catalog federated connectors permissions + @@ -9 +11,96 @@ -To create and use a data source, you need the following sets of permissions. +## AWS Glue Data Catalog federated connectors without Lambda permissions + + * **IAM principal permissions to invoke Athena API for connector management and querying** + + * **Amazon Athena access** – The AmazonAthenaFullAccess managed policy provides full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. For more information, see [AmazonAthenaFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAthenaFullAccess.html) in the AWS Managed Policy Reference Guide. + + * **AWS Glue connection management** – Permissions to create and manage AWS Glue connection objects. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "glue:GetConnection", + "glue:CreateConnection", + "glue:DeleteConnection", + "glue:UpdateConnection" + ], + "Resource": "*" + } + ] + } + +###### Note + +The example policy uses `"Resource": "*"` for simplicity. For production environments, scope permissions to specific resources where possible. + + * **AWS Lake Formation access** – Permissions to create an AWS Glue Catalog and use fine-grained access control. + +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "lakeformation:RegisterResource", + "iam:ListRoles", + "glue:CreateCatalog", + "glue:GetCatalogs", + "glue:GetCatalog" + ], + "Resource": "*" + } + ] + } + + + * **Glue Data Catalog IAM role** + + * This section covers the permissions required for Athena to provision the infrastructure and query your data source. Amazon Athena Federated Query requires the following permissions in the role passed to **Glue Data Catalog IAM Role**. + +###### Note + +When you connect to a data source in a VPC, Athena creates an Elastic Network Interface (ENI) in your account within the specified VPC. The IAM role requires EC2 permissions to create, describe, and delete this network interface. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "glue:ManagedConnector", + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue", + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeVpcs", + "dynamodb:DescribeTable", + "dynamodb:ListTables", + "dynamodb:Scan", + "dynamodb:Query", + "dynamodb:GetItem", + "dynamodb:BatchGetItem" + ], + "Resource": "*" + } + ] + } + +###### Note + +The example policy uses `"Resource": "*"` for simplicity. For production environments, scope permissions to specific resources where possible. For example, scope Secrets Manager permissions to specific secret ARNs. + +Explanation of permissions **Allowed actions** | **Explanation** | **Required** +---|---|--- @@ -11 +108 @@ To create and use a data source, you need the following sets of permissions. - * AmazonAthenaFullAccess that provides full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. For more information, see [AmazonAthenaFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAthenaFullAccess.html) in the AWS Managed Policy Reference Guide. + "glue:ManagedConnector" @@ -13 +110 @@ To create and use a data source, you need the following sets of permissions. - * Permissions to call the CreateDataCatalog API. These permissions are only needed when you create a data source that integrates with Glue connections. For more information on the example policy, see [Permissions required to create connector and Athena catalog](./athena-catalog-access.html). +| Allows Athena to invoke the connector. | Required @@ -15 +112,36 @@ To create and use a data source, you need the following sets of permissions. - * If you want to use Lake Formation fine-grain access control, in addition to the permissions listed above, you also need the following permissions. + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue" + +| Allows connectors to retrieve database credentials stored in AWS Secrets Manager. | Optional + + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeVpcs", + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface" + +| Allows Athena to set up networking if the data source is within a VPC. | Optional + + "dynamodb:DescribeTable", + "dynamodb:ListTables", + "dynamodb:Scan", + "dynamodb:Query", + "dynamodb:GetItem", + "dynamodb:BatchGetItem" + +| Allows Athena to query a DynamoDB data source. | Optional + + + + +## AWS Glue Data Catalog federated connectors with Lambda permissions + + * **IAM principal permissions to invoke Athena API for connector management and querying** + + * **Amazon Athena access** – The AmazonAthenaFullAccess managed policy provides full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. For more information, see [AmazonAthenaFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAthenaFullAccess.html) in the AWS Managed Policy Reference Guide. + + * **Connector management permissions** – The following permissions are needed to call the Athena DataCatalog API when using Lambda-based connectors. See [Permissions required to create connector and Athena catalog](./athena-catalog-access.html). + + * **AWS Lake Formation access (if using Lake Formation)** – Permissions to create an AWS Glue Catalog and use fine-grained access control. @@ -43,0 +176,11 @@ JSON +## Athena data catalog federated connectors permissions + + * **IAM principal permissions to invoke Athena API for connector management and querying** + + * **Amazon Athena access** – The AmazonAthenaFullAccess managed policy provides full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. For more information, see [AmazonAthenaFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAthenaFullAccess.html) in the AWS Managed Policy Reference Guide. + + * **Connector management permissions** – The following permissions are needed to call the Athena DataCatalog API when using Lambda-based connectors. See [Permissions required to create connector and Athena catalog](./athena-catalog-access.html). + + + +