I would like to know if it is possible to create a VPC endpoint for AWS Athena and restrict to only allow certain users (that MUST BE in my account) to use the VPC endpoint. I currently use this VPC endpoint policy for a S3 endpoint and I would need something similar to use with AWS Athena.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<MY_ACCOUNT_ID>:user/user1",
"arn:aws:iam::<MY_ACCOUNT_ID>:user/user2",
...
]
},
"Action": "*",
"Resource": "*"
}
]
}
The problem I'm trying to solve is to block developers in my company, that are logged in a RDP session inside my company VPN, to offload data to a personal AWS account. So I would need a solution that blocks access to the public internet, so I think a VPC endpoint should be the only option, but I accept new ideas.
Athena supports VPC endpoints in all AWS Regions where both Amazon VPC and Athena are available. You can create an interface VPC endpoint to connect to Athena using the AWS Management Console or AWS Command Line Interface (AWS CLI) commands.
A VPC endpoint allows you to privately connect your VPC to supported AWS services. It doesn't require you to deploy an internet gateway, network address translation (NAT) device, Virtual Private Network (VPN) connection, or AWS Direct Connect connection.
The region endpoint of your Athena instance can be found in the top right of the web console. In the example below, note that the instance is based in US East (Ohio) which corresponds top the us-east-2 region code. To find the region code from a region name consult this listing.
AWS defines them as: VPC endpoint — The entry point in your VPC that enables you to connect privately to a service. AWS PrivateLink — A technology that provides private connectivity between VPCs and services. So PrivateLink is technology allowing you to privately (without Internet) access services in VPCs.
Yes you can, check out this doc. https://docs.aws.amazon.com/athena/latest/ug/interface-vpc-endpoint.html
Also, keep in mind to adopt a encryption at rest and transit when query data via athena, the results always by default is open even if it's saved on a encrypted s3 bucket.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With