Amazon S3 access points and access point aliases Using CalledVia context keys Additional resources

Access to Amazon S3

You can grant access to Amazon S3 locations using identity-based policies, bucket resource policies, access point policies, or any combination of the above. When actors interact with Athena, their permissions pass through Athena to determine what Athena can access. This means that users must have permission to access Amazon S3 buckets in order to query them with Athena.

Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.

When you configure aws:SourceIp in your policies, Athena accesses the Amazon S3 bucket using the IP address that you specify. You cannot restrict or allow access to Amazon S3 resources based on the aws:SourceVpc or aws:SourceVpce condition keys.

Note

Athena workgroups that use IAM Identity Center authentication require that S3 Access Grants be configured to use trusted identity propagation identities. For more information, see S3 Access Grants and directory identities in the Amazon Simple Storage Service User Guide.

Amazon S3 access points and access point aliases

If you have a shared dataset in an Amazon S3 bucket, maintaining a single bucket policy that manages access for hundreds of use cases can be challenging.

Amazon S3 bucket access points help solve this issue. A bucket can have multiple access points, each with a policy that controls access to the bucket in a different way.

For each access point that you create, Amazon S3 generates an alias that represents the access point. Because the alias is in Amazon S3 bucket name format, you can use the alias in the LOCATION clause of your CREATE TABLE statements in Athena. Athena's access to the bucket is then controlled by the policy for the access point that the alias represents.

For more information, see Table location in Amazon S3 and Using access points in the Amazon S3 User Guide.

Using CalledVia context keys

For added security, you can use the aws:CalledVia global condition context key. The aws:CalledVia key contains an ordered list of each service in the chain that made requests on the principal's behalf. By specifying the Athena service principal name athena.amazonaws.com for the aws:CalledVia context key, you can limit requests to only those made from Athena. For more information, see Using Athena with CalledVia context keys.

Additional resources

For detailed information and examples about how to grant Amazon S3 access, see the following resources:

Example walkthroughs: Managing access in the Amazon S3 User Guide.
How can I provide cross-account access to objects that are in Amazon S3 buckets? in the Amazon Knowledge Center.
Cross-account access in Athena to Amazon S3 buckets.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Access through JDBC and ODBC connections

Cross-account access to S3 buckets