Setting User and Amazon S3 Bucket Permissions

When you run queries using Athena, you need to be sure that you have the appropriate permissions for Athena actions. If you need to create tables from underlying data, you also need permissions to the Amazon S3 locations where the data is stored. If you are an administrator for other users, make sure they have appropriate permissions associated with their user profiles as well.

IAM Policies for User Access#

To allow or deny Athena service actions for yourself or users, you use IAM policies, which you attach to principals (for example, users or groups). Statements specified in IAM policies define the actions that are allowed and denied. For a list of actions, see the Amazon Athena SDK.

Managed policies are easy to use and are automatically updated with the required actions as the service evolves. The AmazonAthenaFullAccess policy is the managed policy for Athena. Attach this policy to users and other principals that need full access to Athena. For more information and step-by-step instructions for attaching a policy to a user, see Attaching Managed Policies in the AWS Identity and Access Management User Guide.

Customer-managed and inline policies allow you to specify more granular Athena actions within a policy to fine tune access. If you need to do this, we recommend that you use the AmazonAthenaFullAccess policy as a starting point and then allow or deny specific actions listed in the Amazon Athena SDK. For more information about inline policies, see Managed Policies and Inline Policies in the AWS Identity and Access Management User Guide.

If you also have principals that connect using JDBC, you need to allow additional actions not listed in the API. For more information, see Service Actions for JDBC Connections below.

AmazonAthenaFullAccess Managed Policy Contents#

Managed policy contents change, so the policy shown here may be out-of-date. Check the IAM Console for the most up-to-date policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "athena:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload",
        "s3:CreateBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::aws-athena-query-results*"
      ]
    }
  ]
}

AWSQuicksightAthenaAccess Managed Policy#

An additional managed policy, AWSQuicksightAthenaAccess, grants access to actions that Amazon Quicksight needs to integrate with Athena. This policy includes deprecated actions for Athena that are not in the API. Only attach this policy to principals who use Amazon Quicksight in conjunction with Athena.

Managed policy contents change, so the policy shown here may be out-of-date. Check the IAM Console for the most up-to-date policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "athena:CancelQueryExecution",
        "athena:GetCatalogs",
        "athena:GetExecutionEngine",
        "athena:GetExecutionEngines",
        "athena:GetNamespace",
        "athena:GetNamespaces",
        "athena:GetQueryExecution",
        "athena:GetQueryExecutions",
        "athena:GetQueryResults",
        "athena:GetTable",
        "athena:GetTables",
        "athena:RunQuery"
      ],
      "Resource": [ "*" ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload",
        "s3:CreateBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::aws-athena-query-results-*"
      ]
    }
  ]
}

Service Actions for JDBC Connections#

Users (and other principals) who connect through the JDBC driver need permission for policy-specific actions that are not listed in the Amazon Athena SDK. In addition, the Athena API is not supported by JDBC drivers earlier than version 1.1.0, so policies attached to users of the earlier version must specify deprecated actions and not API actions.

Policy-Specific Actions for All JDBC Driver Users, Regardless of Version#

Regardless of JDBC Driver version, you must allow JDBC users to perform a set of policy-specific actions. These actions are not part of the Athena API. If the following actions are not allowed, users will be unable to see databases and tables:

  • athena:GetCatalogs
  • athena:GetExecutionEngine
  • athena:GetExecutionEngines
  • athena:GetNamespace
  • athena:GetNamespaces
  • athena:GetTable
  • athena:GetTables

Deprecated Policy-Specific Actions for JDBC Driver Versions Prior to 1.1.0#

These policy-specific actions were used in Athena before the release of the Athena API. Use these deprecated actions in policies only with JDBC drivers earlier than version 1.1.0. If you are upgrading the JDBC driver, replace policy statements that allow or deny deprecated actions with the appropriate API actions as listed or errors will occur:

Deprecated Policy-Specific Action Corresponding Athena API Action
athena:RunQuery athena:StartQueryExecution
athena:CancelQueryExecution athena:StopQueryExecution
athena:GetQueryExecutions athena:ListQueryExecutions

Amazon S3 Permissions#

In addition to the allowed actions for Athena that you define in policies, if you or your users need to create tables and work with underlying data, you need to grant appropriate access to the Amazon S3 location of the data. You can do this using user policies, bucket policies, or both. For detailed information and scenarios about how to grant Amazon S3 access, see Example Walkthroughs: Managing Access in the Amazon Simple Storage Service Developer Guide. See the sample bucket policy later in this topic for an example of Amazon S3 actions to allow.

Note

Athena does not support restricting or allowing access to Amazon S3 resources based on the aws:SourceIp condition key.

A common scenario is granting access to users in an account different from the bucket owner so that they can perform queries. In this case, use a bucket policy to grant access.

The following example bucket policy created and applied to bucket s3://my-athena-data-bucket by the bucket owner, which is a different account, grants access to all users in account 123456789123.

{
   "Version": "2012-10-17",
   "Id": "MyPolicyID",
   "Statement": [
      {
          "Sid": "MyStatementSid",
          "Effect": "Allow",
          "Principal": {
             "AWS": "arn:aws:iam::123456789123:root"
          },
          "Action": [
             "s3:GetBucketLocation",
             "s3:GetObject",
             "s3:ListBucket",
             "s3:ListBucketMultipartUploads",
             "s3:ListMultipartUploadParts",
             "s3:AbortMultipartUpload",
             "s3:PutObject"
          ],
          "Resource": [
             "arn:aws:s3:::my-athena-data-bucket",
             "arn:aws:s3:::my-athena-data-bucket/*"
          ]
       }
    ]
 }

To grant access to a particular user in an account, replace the Principal key with a key that specifies the user rather than root. For example, for user profile Dave, you would use arn:aws:iam::123456789123:user/Dave.