Access to workgroups and tags - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access to workgroups and tags

A workgroup is a resource managed by Athena. Therefore, if your workgroup policy uses actions that take workgroup as an input, you must specify the workgroup's ARN as follows, where workgroup-name is the name of your workgroup:

"Resource": [arn:aws:athena:region:AWSAcctID:workgroup/workgroup-name]

For example, for a workgroup named test_workgroup in the us-west-2 region for Amazon Web Services account 123456789012, specify the workgroup as a resource using the following ARN:


To access trusted identity propagation (TIP) enabled workgroups, IAM Identity Center users must be assigned to the IdentityCenterApplicationArn that is returned by the response of the Athena GetWorkGroup API action.

Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.