Managed Policies for User Access - Amazon Athena

Managed Policies for User Access

To allow or deny Amazon Athena service actions for yourself or other users using AWS Identity and Access Management (IAM), you attach identity-based policies to principals, such as users or groups.

Each identity-based policy consists of statements that define the actions that are allowed or denied. For more information and step-by-step instructions for attaching a policy to a user, see Attaching Managed Policies in the AWS Identity and Access Management User Guide. For a list of actions, see the Amazon Athena API Reference.

Managed policies are easy to use and are updated automatically with the required actions as the service evolves.

Athena has these managed policies:

  • The AmazonAthenaFullAccess managed policy grants full access to Athena. Attach it to users and other principals who need full access to Athena. See AmazonAthenaFullAccess Managed Policy.

  • The AWSQuicksightAthenaAccess managed policy grants access to actions that Amazon QuickSightneeds to integrate with Athena. Attach this policy to principals who use Amazon QuickSight in conjunction with Athena. See AWSQuicksightAthenaAccess Managed Policy.

Customer-managed and inline identity-based policies allow you to specify more detailed Athena actions within a policy to fine-tune access. We recommend that you use the AmazonAthenaFullAccess policy as a starting point and then allow or deny specific actions listed in the Amazon Athena API Reference. For more information about inline policies, see Managed Policies and Inline Policies in the AWS Identity and Access Management User Guide.

If you also have principals that connect using JDBC, you must provide the JDBC driver credentials to your application. For more information, see Service Actions for JDBC Connections.

If you use AWS Glue with Athena, and have encrypted the AWS Glue Data Catalog, you must specify additional actions in the identity-based IAM policies for Athena. For more information, see Access to Encrypted Metadata in the AWS Glue Data Catalog.


If you create and use workgroups, make sure your policies include appropriate access to workgroup actions. For detailed information, see IAM Policies for Accessing Workgroups and Workgroup Example Policies.