1

I created an access policy based on least privileges so that the user is only able to run queries in an Athena workgroup, called "finance-analyst-dev":

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3Permissions",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::datalake-finance-0123456789123-analytics-dev",
        "arn:aws:s3:::datalake-finance-0123456789123-analytics-dev/*"
      ]
    },
    {
      "Sid": "AthenaPermissions",
      "Effect": "Allow",
      "Action": [
        "athena:StartQueryExecution",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:ListQueryExecutions",
        "athena:GetWorkGroup",
        "athena:CreateNamedQuery",
        "athena:DeleteNamedQuery",
        "athena:GetNamedQuery",
        "athena:ListNamedQueries",
        "athena:BatchGetNamedQuery",
        "athena:BatchGetQueryExecution",
        "athena:UpdateNamedQuery",
        "athena:ListWorkGroups"
      ],
      "Resource": [
        "arn:aws:athena:us-east-1:0123456789123:workgroup/finance-analyst-dev"
      ]
    },
    {
      "Sid": "GluePermissions",
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabases",
        "glue:GetTables",
        "glue:GetTable",
        "glue:GetPartitions"
      ],
      "Resource": [
        "arn:aws:glue:us-east-1:0123456789123:catalog",
        "arn:aws:glue:us-east-1:0123456789123:database/finance-analytics-dev",
        "arn:aws:glue:us-east-1:0123456789123:table/finance-analytics-dev/*"
      ]
    }
  ]
}

When accessing the console, the user continues to be informed that he cannot execute the athena:GetWorkGroup action on the resource:

Amazon Athena console error

I wouldn't want this user to access the primary workgroup.

All other permissions in this policy worked properly.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
Luís Gama
  • 13
  • 3

1 Answers1

0

Please refer to the example policies in the Athena user guide. Copying the content here for reference. There are a few entries missing on the Athena service level and Athena workgroup level.

The error you see may be related to using the primary workgroup as default. And you can override that in the settings.

{
    "Version": "2012-10-17",
    "Statement": [
       {
            "Effect": "Allow",
            "Action": [
                "athena:ListEngineVersions",
                "athena:ListWorkGroups",
                "athena:ListDataCatalogs",
                "athena:ListDatabases",
                "athena:GetDatabase",
                "athena:ListTableMetadata",
                "athena:GetTableMetadata"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "athena:GetWorkGroup", 
                "athena:BatchGetQueryExecution",
                "athena:GetQueryExecution",
                "athena:ListQueryExecutions",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution",
                "athena:GetQueryResults",
                "athena:GetQueryResultsStream",
                "athena:CreateNamedQuery",
                "athena:GetNamedQuery",
                "athena:BatchGetNamedQuery",
                "athena:ListNamedQueries",
                "athena:DeleteNamedQuery",
                "athena:CreatePreparedStatement",
                "athena:GetPreparedStatement",
                "athena:ListPreparedStatements",
                "athena:UpdatePreparedStatement",
                "athena:DeletePreparedStatement"
            ],
            "Resource": [
                "arn:aws:athena:us-east-1:0123456789123:workgroup/finance-analyst-dev"
            ]
        }
    ]
}
lsc
  • 235
  • 1
  • 9