Amazon Athena uses AWS Identity and Access Management (IAM) policies to restrict access to Athena operations. For a full list of permissions for Athena, see Actions, resources, and condition keys for Amazon Athena in the Service Authorization Reference.
Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.
The permissions required to run Athena queries include the following:
-
Amazon S3 locations where the underlying data to query is stored. For more information, see Identity and access management in Amazon S3 in the Amazon Simple Storage Service User Guide.
-
Metadata and resources that you store in the AWS Glue Data Catalog, such as databases and tables, including additional actions for encrypted metadata. For more information, see Setting up IAM permissions for AWS Glue and Setting up encryption in AWS Glue in the AWS Glue Developer Guide.
-
Athena API actions. For a list of API actions in Athena, see Actions in the Amazon Athena API Reference.
The following topics provide more information about permissions for specific areas of Athena.
