Connect to Amazon Athena using an interface VPC endpoint - Amazon Athena

Connect to Amazon Athena using an interface VPC endpoint

You can improve the security posture of your VPC by using an interface VPC endpoint (AWS PrivateLink) and an AWS Glue VPC endpoint in your Virtual Private Cloud (VPC). An interface VPC endpoint improves security by giving you control over what destinations can be reached from inside your VPC. Each VPC endpoint is represented by one or more Elastic network interfaces (ENIs) with private IP addresses in your VPC subnets.

The interface VPC endpoint connects your VPC directly to Athena without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Athena API.

To use Athena through your VPC, you must connect from an instance that is inside the VPC or connect your private network to your VPC by using an Amazon Virtual Private Network (VPN) or AWS Direct Connect. For information about Amazon VPN, see VPN connections in the Amazon Virtual Private Cloud User Guide. For information about AWS Direct Connect, see Creating a connection in the AWS Direct Connect User Guide.

Athena supports VPC endpoints in all AWS Regions where both Amazon VPC and Athena are available.

You can create an interface VPC endpoint to connect to Athena using the AWS Management Console or AWS Command Line Interface (AWS CLI) commands. For more information, see Creating an interface endpoint.

After you create an interface VPC endpoint, if you enable private DNS hostnames for the endpoint, the default Athena endpoint ( resolves to your VPC endpoint.

If you do not enable private DNS hostnames, Amazon VPC provides a DNS endpoint name that you can use in the following format:

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Athena supports making calls to all of its API actions inside your VPC.

You can create a policy for Amazon VPC endpoints for Athena to specify restrictions like the following:

  • Principal – The principal that can perform actions.

  • Actions – The actions that can be performed.

  • Resources – The resources on which actions can be performed.

  • Only trusted identities – Use the aws:PrincipalOrgId condition to restrict access to only credentials that are part of your AWS organization. This can help prevent access by unintended principals.

  • Only trusted resources – Use the aws:ResourceOrgId condition to prevent access to unintended resources.

  • Only trusted identities and resources – Create a combined policy for a VPC endpoint that helps prevent access to unintended principals and resources.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide and Appendix 2 – VPC endpoint policy examples in the AWS Whitepaper Building a data perimeter on AWS.

Example – VPC endpoint policy

The following example allows requests by organization identities to organization resources and allows requests by AWS service principals.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "my-org-id", "aws:ResourceOrgID": "my-org-id" } } }, { "Sid": "AllowRequestsByAWSServicePrincipals", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "*", "Resource": "*", "Condition": { "Bool": { "aws:PrincipalIsAWSService": "true" } } } ] }

Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.

Shared subnets

You can't create, describe, modify, or delete VPC endpoints in subnets that are shared with you. However, you can use the VPC endpoints in subnets that are shared with you. For information about VPC sharing, see Share your VPC with other accounts in the Amazon VPC User Guide.