Identity and access management in Athena
Amazon Athena uses Amazon Identity and Access Management (IAM) policies to restrict access to Athena operations. For a full list of permissions for Athena, see Actions, resources, and condition keys for Amazon Athena in the Service Authorization Reference.
Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.
The permissions required to run Athena queries include the following:
-
Amazon S3 locations where the underlying data to query is stored. For more information, see Identity and access management in Amazon S3 in the Amazon Simple Storage Service User Guide.
-
Metadata and resources that you store in the Amazon Glue Data Catalog, such as databases and tables, including additional actions for encrypted metadata. For more information, see Setting up IAM permissions for Amazon Glue and Setting up encryption in Amazon Glue in the Amazon Glue Developer Guide.
-
Athena API actions. For a list of API actions in Athena, see Actions in the Amazon Athena API Reference.
The following topics provide more information about permissions for specific areas of Athena.
Topics
- Amazon managed policies
- Access through JDBC and ODBC connections
- Access to Amazon S3
- Cross-account access to S3 buckets
- Fine-grained access to databases and tables in Amazon Glue
- Cross-account access to Amazon Glue data catalogs
- Access to encrypted metadata in the Data Catalog
- Access to workgroups and tags
- Allow access to prepared statements
- Using CalledVia context keys
- Allow access to an Athena Data Connector for External Hive Metastore
- Allow Lambda function access to external Hive metastores
- Allow access to Athena Federated Query
- Allow access to Athena UDF
- Allowing access for ML with Athena
- Enabling federated access to the Athena API