Connect to Amazon Athena using an interface VPC endpoint - Amazon Athena
Create a VPC endpoint policy for AthenaShared subnets
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connect to Amazon Athena using an interface VPC endpoint

You can improve the security posture of your VPC by using an interface VPC endpoint (Amazon PrivateLink) and an Amazon Glue VPC endpoint in your Virtual Private Cloud (VPC). An interface VPC endpoint improves security by giving you control over what destinations can be reached from inside your VPC. Each VPC endpoint is represented by one or more Elastic network interfaces (ENIs) with private IP addresses in your VPC subnets.

The interface VPC endpoint connects your VPC directly to Athena without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Athena API.

To use Athena through your VPC, you must connect from an instance that is inside the VPC or connect your private network to your VPC by using an Amazon Virtual Private Network (VPN) or Amazon Direct Connect. For information about Amazon VPN, see VPN connections in the Amazon Virtual Private Cloud User Guide. For information about Amazon Direct Connect, see Creating a connection in the Amazon Direct Connect User Guide.

Athena supports VPC endpoints in all Amazon Web Services Regions where both Amazon VPC and Athena are available.

You can create an interface VPC endpoint to connect to Athena using the Amazon Web Services Management Console or Amazon Command Line Interface (Amazon CLI) commands. For more information, see Creating an interface endpoint.

After you create an interface VPC endpoint, if you enable private DNS hostnames for the endpoint, the default Athena endpoint (https://athena.Region.amazonaws.com) resolves to your VPC endpoint.

If you do not enable private DNS hostnames, Amazon VPC provides a DNS endpoint name that you can use in the following format:

VPC_Endpoint_ID.athena.Region.vpce.amazonaws.com

For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Athena supports making calls to all of its API actions inside your VPC.

You can create a policy for Amazon VPC endpoints for Athena to specify restrictions like the following:

  • Principal – The principal that can perform actions.

  • Actions – The actions that can be performed.

  • Resources – The resources on which actions can be performed.

  • Only trusted identities – Use the aws:PrincipalOrgId condition to restrict access to only credentials that are part of your Amazon organization. This can help prevent access by unintended principals.

  • Only trusted resources – Use the aws:ResourceOrgId condition to prevent access to unintended resources.

  • Only trusted identities and resources – Create a combined policy for a VPC endpoint that helps prevent access to unintended principals and resources.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide and Appendix 2 – VPC endpoint policy examples in the Amazon Whitepaper Building a data perimeter on Amazon.

Example – VPC endpoint policy

The following example allows requests by organization identities to organization resources and allows requests by Amazon service principals.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "my-org-id",
                    "aws:ResourceOrgID": "my-org-id"
                }
            }
        },
        {
            "Sid": "AllowRequestsByAWSServicePrincipals",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:PrincipalIsAWSService": "true"
                }
            }
        }
    ]
}

Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.

Shared subnets

You can't create, describe, modify, or delete VPC endpoints in subnets that are shared with you. However, you can use the VPC endpoints in subnets that are shared with you. For information about VPC sharing, see Share your VPC with other accounts in the Amazon VPC User Guide.