Home > front end >  Block files download from Amazon S3 without compromising Amazon Athena
Block files download from Amazon S3 without compromising Amazon Athena

Time:01-31

I created this policy below to prevent users from downloading files in a specific Amazon S3 bucket, but they were also unable to run a query in Amazon Athena, getting a "Permission denied on S3 path: ..." error. Once I removed the policy, they were immediately able to run the query again. On the other hand, they can read a file in EMR Notebooks (PySpark), which is desirable.

How can I block files from being downloaded without compromising Athena's usage?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

CodePudding user response:

The challenge here is in how Athena works. According to the Access to Amazon S3 docs:

users must have permission to access Amazon S3 buckets in order to query them with Athena.

When users interact with Athena, their permissions pass through Athena to determine what Athena can access. So the user fundamentally needs to have GetObject permission in order for Athena to be able to read the objects.

That said, one option would be to modify your S3 bucket policy to deny access if the client is not actually Athena. You can do that using aws:CalledVia which is present and indicates athena.amazonaws.com when Athena makes requests on behalf of the IAM user (or role). For example as follows:

"Condition": {
    "StringNotEquals": {"aws:CalledVia": "athena.amazonaws.com"}
}
  • Related