Amazon Athena Cross Account Access

Question

Can I create a database and table in Athena service within my account to access S3 data in another account?

I went over the below link and I assume as per this documentation both Amazon Athena and S3 bucket have to be in the same account and access is provided to the user in another account.

https://console.aws.amazon.com/athena/home?force&region=us-east-1#query

Answer 1

This answer deals with the additional information that:

• A Lambda function in Account-A must be able to create a table in Amazon Athena in Account-B

I haven't tested it, but I think you will require:

• Role-A in Account-A for the Lambda function that:
  • Permits AssumeRole on Role-B
• Role-B in Account-B that:
  • Permits access to Amazon Athena and the source bucket in Amazon S3
  • Trusts Role-A

The Lambda function will run with Role-A. It will then use credentials from Role-A to call AssumeRole on Role-B. This will return a new set of credentials that can be used to call Amazon Athena in Account-B.

Answer 2

From Access Control Policies - Amazon Athena:

To run queries in Athena, you must have the appropriate permissions for:

• The Athena actions.
• The Amazon S3 locations where the underlying data is stored that you are going to query in Athena.
• ...

So, it seems that the IAM User who is executing the Athena query requires access to the Amazon S3 location.

This could be done by adding a Bucket Policy to the S3 bucket in the other account that permits the IAM User access to the bucket.

To explain better:

• Account-A with IAM-User-A and AWS Athena
• Account-B with Bucket-B that has a Bucket Policy granting access to IAM-User-A