Access PRIVATE S3 bucket from Athena in a separate AWS account

Question

I am able to have cross-account access on a public S3 bucket bucketA. However, I need the Athena service and boto3 library to access the same S3 bucketA which is now a private resource.

How can it be done ?

Regards, Aarushi

Answer 1

When Amazon Athena runs queries, it uses the current user's access permissions to access Amazon S3.

Therefore, if you want a particular user to run Athena queries against data in S3, simply make sure that this user has access to the relevant Amazon S3 buckets.

Let's say you have:

• An IAM User (User-A) in Account-A
• An Amazon S3 Bucket (Bucket-B) in Account-B
• You want to permit User-A to run Amazon Athen queries against data in Bucket-B

You should:

• Add an IAM policy to User-A that permits them to access Bucket-B (presumably s3:ListBucket and s3:GetObject, at a minimum)
• Add a Bucket Policy to Bucket-B that permits access by User-A (this is required for cross-account access) -- the permissions should be the same as the IAM Policy (eg s3:ListBucket and s3:GetObject at a minimum)

That should allow User-A to run queries on data in Bucket-B.

See the documentation: Cross-account Access in Athena to Amazon S3 Buckets - Amazon Athena