Identity and access management in Athena

Amazon Athena uses AWS Identity and Access Management (IAM) policies to restrict access to Athena operations. For a full list of permissions for Athena, see Actions, resources, and condition keys for Amazon Athena in the Service Authorization Reference.

Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.

The permissions required to run Athena queries include the following:

• Amazon S3 locations where the underlying data to query is stored. For more information, see Identity and access management in Amazon S3 in the Amazon Simple Storage Service User Guide.

• Metadata and resources that you store in the AWS Glue Data Catalog, such as databases and tables, including additional actions for encrypted metadata. For more information, see Setting up IAM permissions for AWS Glue and Setting up encryption in AWS Glue in the AWS Glue Developer Guide.

• Athena API actions. For a list of API actions in Athena, see Actions in the Amazon Athena API Reference.

The following topics provide more information about permissions for specific areas of Athena.

Topics

• AWS managed policies
• Access through JDBC and ODBC connections
• Control access to Amazon S3 from Athena
• Cross-account access to S3 buckets
• Access to databases and tables in AWS Glue
• Cross-account access to AWS Glue data catalogs
• Access to encrypted metadata in the Data Catalog
• Access to workgroups and tags
• Use IAM policies to control workgroup access
• IAM Identity Center enabled workgroups
• Configure minimum encryption
• Configure access to prepared statements
• Use CalledVia context keys
• Allow access to the Athena Data Connector for External Hive Metastore
• Allow Lambda function access to external Hive metastores
• Allow access to Athena Federated Query
• Allow access to UDFs
• Allow access for ML with Athena
• Enable federated access to the Athena API