Tag-based IAM access control policies
Having tags allows you to write an IAM policy that includes the
Condition
block to control access to a resource based on its tags.
Tag policy examples for workgroups
Example 1. basic tagging policy
The following IAM policy allows you to run queries and interact with tags
for the workgroup named workgroupA
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:ListWorkGroups", "athena:ListEngineVersions", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:GetWorkGroup", "athena:TagResource", "athena:UntagResource", "athena:ListTagsForResource", "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:BatchGetQueryExecution", "athena:ListQueryExecutions", "athena:StopQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:CreateNamedQuery", "athena:GetNamedQuery", "athena:BatchGetNamedQuery", "athena:ListNamedQueries", "athena:DeleteNamedQuery", "athena:CreatePreparedStatement", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "athena:UpdatePreparedStatement", "athena:DeletePreparedStatement" ], "Resource": "arn:aws:athena:
us-east-1
:123456789012
:workgroup/workgroupA
" } ] }
Example 2: Policy block that denies actions on a workgroup based on a tag key and tag value pair
Tags that are associated with a resource like a workgroup are referred to as
resource tags. Resource tags let you write policy blocks like the following that
deny the listed actions on any workgroup tagged with a key-value pair like
stack
, production
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "athena:GetWorkGroup", "athena:UpdateWorkGroup", "athena:DeleteWorkGroup", "athena:TagResource", "athena:UntagResource", "athena:ListTagsForResource", "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:BatchGetQueryExecution", "athena:ListQueryExecutions", "athena:StopQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:CreateNamedQuery", "athena:GetNamedQuery", "athena:BatchGetNamedQuery", "athena:ListNamedQueries", "athena:DeleteNamedQuery", "athena:CreatePreparedStatement", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "athena:UpdatePreparedStatement", "athena:DeletePreparedStatement" ], "Resource": "arn:aws:athena:
us-east-1
:123456789012
:workgroup/*", "Condition": { "StringEquals": { "aws:ResourceTag/stack
": "production
" } } } ] }
Example 3. policy block that restricts tag-changing action requests to specified tags
Tags that are passed in as parameters to operations that change tags (for
example, TagResource
, UntagResource
, or
CreateWorkGroup
with tags) are referred to as request tags. The
following example policy block allows the CreateWorkGroup
operation
only if one of the tags passed has the key costcenter
and the value
1
, 2
, or 3
.
If you want to allow an IAM role to pass in tags as part of a
CreateWorkGroup
operation, make sure that you give the role
permissions to the TagResource
and CreateWorkGroup
actions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:CreateWorkGroup", "athena:TagResource" ], "Resource": "arn:aws:athena:
us-east-1
:123456789012
:workgroup/*", "Condition": { "StringEquals": { "aws:RequestTag/costcenter
": [ "1
", "2
", "3
" ] } } } ] }
Tag policy examples for data catalogs
Example 1. basic tagging policy
The following IAM policy allows you to interact with tags for the data
catalog named datacatalogA
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:ListWorkGroups", "athena:ListEngineVersions", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:GetWorkGroup", "athena:TagResource", "athena:UntagResource", "athena:ListTagsForResource", "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:BatchGetQueryExecution", "athena:ListQueryExecutions", "athena:StopQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:CreateNamedQuery", "athena:GetNamedQuery", "athena:BatchGetNamedQuery", "athena:ListNamedQueries", "athena:DeleteNamedQuery" ], "Resource": [ "arn:aws:athena:
us-east-1
:123456789012
:workgroup/*" ] }, { "Effect": "Allow", "Action": [ "athena:CreateDataCatalog", "athena:GetDataCatalog", "athena:UpdateDataCatalog", "athena:DeleteDataCatalog", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata", "athena:TagResource", "athena:UntagResource", "athena:ListTagsForResource" ], "Resource": "arn:aws:athena:us-east-1
:123456789012
:datacatalog/datacatalogA
" } ] }
Example 2: Policy block that denies actions on a Data Catalog based on a tag key and tag value pair
You can use resource tags to write policy blocks that deny specific actions on
data catalogs that are tagged with specific tag key-value pairs. The following
example policy denies actions on data catalogs that have the tag key-value pair
stack
, production
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "athena:CreateDataCatalog", "athena:GetDataCatalog", "athena:UpdateDataCatalog", "athena:DeleteDataCatalog", "athena:GetDatabase", "athena:ListDatabases", "athena:GetTableMetadata", "athena:ListTableMetadata", "athena:StartQueryExecution", "athena:TagResource", "athena:UntagResource", "athena:ListTagsForResource" ], "Resource": "arn:aws:athena:
us-east-1
:123456789012
:datacatalog/*", "Condition": { "StringEquals": { "aws:ResourceTag/stack
": "production
" } } } ] }
Example 3. policy block that restricts tag-changing action requests to specified tags
Tags that are passed in as parameters to operations that change tags (for
example, TagResource
, UntagResource
, or
CreateDataCatalog
with tags) are referred to as request tags.
The following example policy block allows the CreateDataCatalog
operation only if one of the tags passed has the key costcenter
and
the value 1
, 2
, or 3
.
If you want to allow an IAM role to pass in tags as part of a
CreateDataCatalog
operation, make sure that you give the
role permissions to the TagResource
and
CreateDataCatalog
actions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:CreateDataCatalog", "athena:TagResource" ], "Resource": "arn:aws:athena:
us-east-1
:123456789012
:datacatalog/*", "Condition": { "StringEquals": { "aws:RequestTag/costcenter
": [ "1
", "2
", "3
" ] } } } ] }