AWS Security ChangesHomeSearch

AWS omics documentation change

Service: omics · 2026-04-25 · Documentation medium

File: omics/latest/dev/workflows-vpc-internet.md

Summary

Added comprehensive IAM permissions section for AWS services in VPC mode workflows, including policy examples for Athena, Glue, DynamoDB, and S3 Tables

Security assessment

This change adds detailed security documentation about IAM permissions required for workflows in VPC mode. It clarifies that VPC endpoints alone are insufficient and proper IAM permissions are required to prevent AccessDeniedException errors. The documentation provides specific policy examples and emphasizes the separation of networking configuration from IAM permissions, which is a security best practice.

Diff

diff --git a/omics/latest/dev/workflows-vpc-internet.md b/omics/latest/dev/workflows-vpc-internet.md
index c974bf771..5cb6da5e7 100644
--- a//omics/latest/dev/workflows-vpc-internet.md
+++ b//omics/latest/dev/workflows-vpc-internet.md
@@ -7 +7 @@
-Setting up a VPC with internet accessVPC endpoints for AWS servicesSecurity group configurationRoute table configurationTesting VPC connectivityExamplesBest practices
+Setting up a VPC with internet accessVPC endpoints for AWS servicesSecurity group configurationRoute table configurationIAM permissions for AWS servicesTesting VPC connectivityExamplesBest practices
@@ -28,0 +29,2 @@ Connecting a run to a public subnet does not give it internet access or a public
+  * IAM permissions for AWS services
+
@@ -107,0 +110,4 @@ You can configure VPC endpoints to allow runs to access AWS services without tra
+###### Important
+
+If your workflow definition needs to access AWS services (such as Amazon Athena queries, Amazon DynamoDB operations, or other API calls), you must ensure that the required VPC endpoints are configured in your VPC. Without the appropriate endpoints, your workflow may fail with authentication or connectivity errors.
+
@@ -116,0 +123 @@ Amazon S3 | Gateway | com.amazonaws.`region`.s3
+Amazon S3 Tables | Interface | com.amazonaws.`region`.s3tables  
@@ -120,0 +128,3 @@ CloudWatch Logs | Interface | com.amazonaws.`region`.logs
+Amazon Athena | Interface | com.amazonaws.`region`.athena  
+  
+The full list of services that you can access through AWS PrivateLink endpoints can be found in [AWS services that integrate with AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html). For detailed endpoint setup instructions, see [Access AWS services through AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) in the _AWS PrivateLink Guide_.
@@ -168,0 +179,89 @@ For access to on-premises resources, configure routes to a virtual private gatew
+## IAM permissions for AWS services
+
+When your workflow tasks access AWS services such as Amazon Athena, AWS Glue, or Amazon DynamoDB in VPC networking mode, you must add the necessary permissions to the service role that you pass to the `StartRun` API. Without these permissions, your workflow tasks will fail with `AccessDeniedException` or `UnauthorizedException` errors.
+
+###### Important
+
+The service role permissions are separate from VPC networking configuration. Even with properly configured VPC endpoints and security groups, your workflow will fail if the service role lacks the required IAM permissions.
+
+If your workflow fails with permission errors, check the CloudWatch Logs logs for your workflow run. Common error messages include `AccessDeniedException: You are not authorized to perform: action on the resource` (the service role is missing the required IAM permission) or `UnrecognizedClientException: The security token included in the request is invalid` (the service role trust policy may be misconfigured, or the role ARN passed to `StartRun` is incorrect).
+
+### Common service permissions
+
+The following examples show IAM permissions for commonly used AWS services in VPC mode workflows. Add these permissions to your service role policy based on which services your workflow accesses.
+
+###### Example permissions
+
+For workflows that run queries:
+    
+    
+    {
+      "Effect": "Allow",
+      "Action": [
+        "athena:StartQueryExecution",
+        "athena:GetQueryExecution",
+        "athena:GetQueryResults",
+        "athena:StopQueryExecution"
+      ],
+      "Resource": "arn:aws:athena:region:account-id:workgroup/workgroup-name"
+    }
+
+###### Example AWS Glue Data Catalog permissions
+
+For workflows that access AWS Glue databases and tables (commonly used with Amazon Athena):
+    
+    
+    {
+      "Effect": "Allow",
+      "Action": [
+        "glue:GetDatabase",
+        "glue:GetTable",
+        "glue:GetPartitions",
+        "glue:CreateTable",
+        "glue:UpdateTable"
+      ],
+      "Resource": [
+        "arn:aws:glue:region:account-id:catalog",
+        "arn:aws:glue:region:account-id:database/database-name",
+        "arn:aws:glue:region:account-id:table/database-name/*"
+      ]
+    }
+
+###### Note
+
+If you use AWS Lake Formation to manage permissions for your AWS Glue Data Catalog, you must also grant the appropriate Lake Formation permissions. For more information, see [Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/lake-formation-permissions.html) in the _AWS Lake Formation Developer Guide_.
+
+###### Example DynamoDB permissions
+
+For workflows that read from or write to DynamoDB tables:
+    
+    
+    {
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:GetItem",
+        "dynamodb:PutItem",
+        "dynamodb:Query",
+        "dynamodb:Scan"
+      ],
+      "Resource": "arn:aws:dynamodb:region:account-id:table/table-name"
+    }
+
+###### Example Amazon S3 Tables permissions
+
+For workflows that read from or write to Amazon S3 Tables:
+    
+    
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3tables:GetTableData",
+        "s3tables:PutTableData"
+      ],
+      "Resource": "arn:aws:s3tables:region:account-id:bucket/bucket-name/table/table-id"
+    }
+
+###### Note
+
+Amazon S3 Tables uses a different endpoint than Amazon S3. You must configure a VPC endpoint for Amazon S3 Tables and ensure your security group allows outbound HTTPS traffic (port 443) to the Amazon S3 Tables service.
+