AWS Athena

resolve can query data using aws athena — useful for investigating cloudtrail audit logs, vpc flow logs, alb access logs, and other operational data stored in s3 aws does not offer a read only athena managed policy you need to create a custom inline policy on the iam role used by resolve 1\ add athena permissions on the same iam role created in the docid\ yek7yoce dmb9le6x1jth ( resolve access role ), add a custom inline policy with the following json { "version" "2012 10 17", "statement" \[ { "sid" "athenaqueryaccess", "effect" "allow", "action" \[ "athena\ startqueryexecution", "athena\ getqueryexecution", "athena\ getqueryresults", "athena\ stopqueryexecution", "athena\ listdatabases", "athena\ listdatacatalogs", "athena\ listtablemetadata", "athena\ listworkgroups", "athena\ getworkgroup" ], "resource" " " }, { "sid" "gluereadonly", "effect" "allow", "action" \[ "glue\ getdatabase", "glue\ getdatabases", "glue\ gettable", "glue\ gettables", "glue\ getpartitions" ], "resource" " " }, { "sid" "athenaqueryresultsaccess", "effect" "allow", "action" \[ "s3\ getbucketlocation", "s3\ getobject", "s3\ listbucket", "s3\ putobject", "s3\ listmultipartuploadparts", "s3\ abortmultipartupload", "s3\ listbucketmultipartuploads" ], "resource" \[ "arn\ aws\ s3 aws athena query results ", "arn\ aws\ s3 aws athena query results / " ] } ] } about these permissions athena actions allow resolve to run read only sql queries and discover databases/tables resolve enforces that only select , show , describe , and explain queries are executed glue read only actions are required because athena uses the aws glue data catalog to store table metadata s3 write access ( putobject ) is scoped to the athena query results bucket only — athena must write query output to s3 if your results bucket uses a different naming pattern, adjust the resource arn accordingly 2\ configure your athena workgroup your athena workgroup must have a default query results s3 location configured without this, queries will fail in the aws console, go to amazon athena > workgroups select your workgroup (typically primary ) click edit and set the query result location (e g , s3 //aws athena query results account id region/ ) save 3\ safety guardrails resolve enforces several safety measures for athena queries iam role permissions — the iam roles configured above only provide read permissions for athena query execution read only sql only — only select , show , describe , and explain queries are permitted ddl/dml ( create , drop , insert , etc ) is blocked 60 second timeout — queries running longer than 60 seconds are automatically cancelled 100 gb data scan limit — queries scanning more than 100 gb of data are automatically cancelled to prevent unexpected costs 1,000 row result limit — query results are capped at 1,000 rows