Enable AWS Athena using Turbot

Enabling the AWS Athena service is straight forward in Turbot, but like many services in AWS, there are dependencies that must be enabled for full functionality. The following example will detail the permission set as well as the services that must be enabled to replicate the AWS managed Athena metadata policy.

Core services required:

  • AWS > Athena > Enabled
  • AWS > S3 > Enabled
  • AWS > Cloudformation > Enabled
  • AWS > EC2 > Enabled
  • AWS > IAM > Enabled
  • AWS > RDS > Enabled
  • AWS > Redshift > Enabled
  • AWS > Sagemaker > Enabled
  • AWS > Glue > Enabled
  • AWS > KMS > Enabled

Then a combination of the following permissions will need to be applied to users in Turbot:

  • AWS/Athena/Admin (Includes admin operations delete/create)
  • AWS/S3/Operator (Includes the create bucket operation)
  • AWS/Metadata (Covers all other services listed)

Other services in AWS such as CloudFormation and EC2 can require that multiple core services are enabled in Turbot.

For example, if one is using CloudFormation to create a VPC network and stand up some EC2 instances, AWS > EC2 > Enabled and AWS > VPC > Enabled policies need to be set to enabled as well as the more obvious AWS > CloudFormation > Enabled policy. This methodology can help restrict users from creating resources that are outside the scope of the defined security policy.

More information regarding Turbot guardrails for AWS Athena can be found here: https://poc.turbot.com/help/security/guardrails-for-aws-athena/


Was this article helpful?
0 out of 0 found this helpful