Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Its possible to use AWS Athena using a VPC endpoint?

I would like to know if it is possible to create a VPC endpoint for AWS Athena and restrict to only allow certain users (that MUST BE in my account) to use the VPC endpoint. I currently use this VPC endpoint policy for a S3 endpoint and I would need something similar to use with AWS Athena.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<MY_ACCOUNT_ID>:user/user1",
                    "arn:aws:iam::<MY_ACCOUNT_ID>:user/user2",
                    ...
                ]
            },
            "Action": "*",
            "Resource": "*"
        }
    ]
}

The problem I'm trying to solve is to block developers in my company, that are logged in a RDP session inside my company VPN, to offload data to a personal AWS account. So I would need a solution that blocks access to the public internet, so I think a VPC endpoint should be the only option, but I accept new ideas.

like image 617
Yuri Olive Avatar asked Jan 07 '19 20:01

Yuri Olive


People also ask

Does AWS Athena run in a VPC?

Athena supports VPC endpoints in all AWS Regions where both Amazon VPC and Athena are available. You can create an interface VPC endpoint to connect to Athena using the AWS Management Console or AWS Command Line Interface (AWS CLI) commands.

What is AWS VPC endpoint used for?

A VPC endpoint allows you to privately connect your VPC to supported AWS services. It doesn't require you to deploy an internet gateway, network address translation (NAT) device, Virtual Private Network (VPN) connection, or AWS Direct Connect connection.

How do you find Athena's endpoint?

The region endpoint of your Athena instance can be found in the top right of the web console. In the example below, note that the instance is based in US East (Ohio) which corresponds top the us-east-2 region code. To find the region code from a region name consult this listing.

What is the difference between AWS PrivateLink and VPC endpoint?

AWS defines them as: VPC endpoint — The entry point in your VPC that enables you to connect privately to a service. AWS PrivateLink — A technology that provides private connectivity between VPCs and services. So PrivateLink is technology allowing you to privately (without Internet) access services in VPCs.


1 Answers

Yes you can, check out this doc. https://docs.aws.amazon.com/athena/latest/ug/interface-vpc-endpoint.html

Also, keep in mind to adopt a encryption at rest and transit when query data via athena, the results always by default is open even if it's saved on a encrypted s3 bucket.

like image 184
Igor Costa Avatar answered Oct 02 '22 05:10

Igor Costa