Setting User and Amazon S3 Bucket Permissions

When you run queries using Athena, you need to be sure that you have the appropriate permissions for Athena actions. If you need to create tables from underlying data, you also need permissions to the Amazon S3 locations where the data is stored.

Athena User Permissions#

To grant the appropriate actions to yourself or users, you can use the AmazonAthenaFullAccess and the AWSQuickSightAthenaAccess managed policies, attaching them to your user profile. You can also create a custom policy that allows the minimum appropriate actions for Athena. For more information, see Managed policies and Athena Policy Actions. If you are an administrator for other users, make sure they have appropriate permissions associated with their user profiles as well.

Amazon S3 Permissions#

In addition to the allowed actions for Athena that you define in user policies, if you or your users need to create tables and work with underlying data, you need to grant appropriate access to the Amazon S3 location of the data. You can do this using user policies, bucket policies, or both. For detailed information and scenarios about how to grant Amazon S3 access, see Example Walkthroughs: Managing Access in the Amazon Simple Storage Service Developer Guide. See the sample bucket policy later in this topic for an example of Amazon S3 actions to allow.

Note

Athena does not support restricting or allowing access to Amazon S3 resources based on the aws:SourceIp condition key.

Cross-account Permissions#

A common scenario is granting access to users in an account different from the bucket owner so that they can perform queries. In this case, use a bucket policy to grant access.

The following example bucket policy created and applied to bucket s3://my-athena-data-bucket by the bucket owner, which is a different account, grants access to all users in account 123456789123.

{
   "Version": "2012-10-17",
   "Id": "MyPolicyID",
   "Statement": [
      {
          "Sid": "MyStatementSid",
          "Effect": "Allow",
          "Principal": {
             "AWS": "arn:aws:iam::123456789123:root"
          },
          "Action": [
             "s3:GetBucketLocation",
             "s3:GetObject",
             "s3:ListBucket",
             "s3:ListBucketMultipartUploads",
             "s3:ListMultipartUploadParts",
             "s3:AbortMultipartUpload",
             "s3:PutObject"
          ],
          "Resource": [
             "arn:aws:s3:::my-athena-data-bucket",
             "arn:aws:s3:::my-athena-data-bucket/*"
          ]
       }
    ]
 }

To grant access to a particular user in an account, replace the Principal key with a key that specifies the user rather than root. For example, for user profile Dave, you would use arn:aws:iam::123456789123:user/Dave.