Versions Compared

Old Version 1

changes.mady.by.user Ben

Saved on

compared with

New Version 2

changes.mady.by.user Ben

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Permissions to execute queries against Athena INFORMATION_SCHEMA. In particular the following tables:

    1. information_schema.views

    2. information_schema.tables

    3. information_schema.columns

  2. Executing queries in Athena requires an s3 bucket to temporary store results.
    The policy must also allow Read Write Listing access to objects to the bucket, conversely, the bucket must also have policy to allow to do the same.

  3. Permission to call the following Athena APIs

    1. list_databases

    2. list_table_metadata

    3. list_query_executions

    4. list_work_groups

    5. batch_get_query_executions

    6. start_query_execution

    7. get_query_execution

  4. The IAM policy will need permissions to access all Athena workgroups to be able to extract query logs data. Without access to the workgroups KADA can’t track user usage.

    1. See To limit access to workgroups see https://docs.aws.amazon.com/athena/latest/ug/workgroups-iam-policy.html on how to add policy entries to have fine grain control at the workgroup level. Note that the extractor runs queries on Athena, If

Note

Note if you do choose to restrict workgroup access, ensure that Query based actions (e.g. StartQueryExecution) are allowed for the workgroups the

...

in the IAM Policy.

Info

Athena reports usage at the workgroup. This means usage can not be attributed to the

...

user that executed the query. In K Athena usage will be reported against each work group in the format “athena_workgroup_<name>”

Example Role Policy to allow Athena Access with least privileges for actions

...