Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Its possible to use AWS Athena using a VPC endpoint?

Tags:

amazon-web-services

vpc

I would like to know if it is possible to create a VPC endpoint for AWS Athena and restrict to only allow certain users (that MUST BE in my account) to use the VPC endpoint. I currently use this VPC endpoint policy for a S3 endpoint and I would need something similar to use with AWS Athena.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<MY_ACCOUNT_ID>:user/user1",
                    "arn:aws:iam::<MY_ACCOUNT_ID>:user/user2",
                    ...
                ]
            },
            "Action": "*",
            "Resource": "*"
        }
    ]
}

The problem I'm trying to solve is to block developers in my company, that are logged in a RDP session inside my company VPN, to offload data to a personal AWS account. So I would need a solution that blocks access to the public internet, so I think a VPC endpoint should be the only option, but I accept new ideas.

like image 617
Yuri Olive Avatar asked Jan 07 '19 20:01

Yuri Olive

People also ask

Does AWS Athena run in a VPC?

Athena supports VPC endpoints in all AWS Regions where both Amazon VPC and Athena are available. You can create an interface VPC endpoint to connect to Athena using the AWS Management Console or AWS Command Line Interface (AWS CLI) commands.

What is AWS VPC endpoint used for?

A VPC endpoint allows you to privately connect your VPC to supported AWS services. It doesn't require you to deploy an internet gateway, network address translation (NAT) device, Virtual Private Network (VPN) connection, or AWS Direct Connect connection.

How do you find Athena's endpoint?

The region endpoint of your Athena instance can be found in the top right of the web console. In the example below, note that the instance is based in US East (Ohio) which corresponds top the us-east-2 region code. To find the region code from a region name consult this listing.

What is the difference between AWS PrivateLink and VPC endpoint?

AWS defines them as: VPC endpoint — The entry point in your VPC that enables you to connect privately to a service. AWS PrivateLink — A technology that provides private connectivity between VPCs and services. So PrivateLink is technology allowing you to privately (without Internet) access services in VPCs.

1 Answers

Yes you can, check out this doc. https://docs.aws.amazon.com/athena/latest/ug/interface-vpc-endpoint.html

Also, keep in mind to adopt a encryption at rest and transit when query data via athena, the results always by default is open even if it's saved on a encrypted s3 bucket.

like image 184
Igor Costa Avatar answered Oct 02 '22 05:10

Igor Costa
Sign in to Comment

Related questions

How to get AWS Glue crawler to assume a role in another AWS account to get data from that account's S3 bucket?
How read table with non utf-8 encoding in aws gllue?
Use IAM role instead of credentials to create aws resource from an EC2 instance using terraform
call_command makemigrations does not work on Elastic Beanstalk
Terraform AWS Provider: array of ECS task placement constraints?
Generating an AWS Signature v4 signature for uploading to s3 (migration from v2)
Given a failed AWS API request, how can I debug what permissions I need?
Nodejs AWS Lambda switching to another accounts access and secret key to perform functions
Using List of IAM Policy Document Objects as AWS::Serverless::Function Policies
AWS Cognito completeNewPasswordChallenge calls onFailure method but the user is confirmed in AWS Console
Can we see or edit 'job bookmark' info in AWS glue or where it get stored?
How to setup API gateway to talk to private NLB?
How to break existing CloudFormation stack into separate nested stacks, moving existing resources under nested stack
How can we control number of EC2 instances to be launched by federated user?
Simulate Principal Policy using assumed role
AWS CloudFormation Rate Exceeded
How do I deploy monorepo code to AWS Lambda using lerna?
Django admin ImageField: Upload a valid image. The file you uploaded was either not an image or a corrupted image
Sending SQS message timeout
EMR dyanmodb export failed because of table capacity set to on-demand

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!