Athena Security: Data Protection, Monitoring, and Secure Access
What is AWS Athena Security?
Amazon Athena is a query service that lets you perform ad hoc queries on large volumes of data. You can use it to define SQL queries and run them directly on data stored in Amazon S3 buckets.
AWS Athena security is established based on the shared responsibility model, which specifies that AWS as the cloud service provider protects the underlying infrastructure and AWS users protect their workloads.
There are several ways to protect Athena queries and securely connect to S3. You can establish both encryption at rest and encryption in transit, leverage TLS to secure communications, and use AWS PrivateLink to create a private connection between your VPC and Athena.
Athena supports several security features, including AWS Key Management Service (AWS KMS) for encryption, and AWS Identity and Access Management (IAM) for access control. You can also use AWS CloudTrail to monitor Athena and analyze security event trends using Amazon QuickSight.
This is part of our series of articles about Redshift security.
In this article, you will learn:
- AWS Athena Data Protection
- Encryption at Rest
- Encryption in Transit
- AWS Key Management Service (KMS)
- Internetwork Traffic Privacy
- AWS Identity and Access Management (IAM) in Athena
- Logging and Monitoring in Athena
- Connecting to Amazon Athena Using an Interface VPC Endpoint
- Athena Security with Satori
AWS Athena Data Protection
As a cloud computing provider, AWS operates according to the shared responsibility model. This means that AWS is responsible for protecting the underlying infrastructure of the cloud, while each cloud user is responsible for protecting their workloads and data. AWS provides features and services that assist customers in protecting their cloud resources.
Encryption at Rest
Athena lets you run queries on encrypted data stored in Amazon S3 repositories that are located in the same region or a limited number of regions. It is also possible to encrypt query results in S3, as well as data located in the AWS Glue Data Catalog.
Encryption in Transit
To encrypt data in transit, Athena uses Transport Layer Security (TLS) encryption. This is applied to all data passing between S3 and Athena, as well as between Athena and any customer application attempting to access Athena. To allow only encrypted connections with HTTPS (TLS), you can apply the aws:SecureTransport condition on S3 buckets IAM policies.
AWS Key Management Service (KMS)
When you use Athena to query sensitive data, it is important to manage encryption and decryption of data stored in your S3 buckets. Amazon KMS helps you manage encryption keys, and integrate with Athena so it can decrypt data for analysis, and encrypt query results as well. Athena uses KMS to access the customer master keys (CMKs) you used to encrypt your S3 data.
Internetwork Traffic Privacy
Internal traffic communication is protected using the TLS protocol and AWS KMS. In addition, you can enable a connectivity feature that protects communication between AWS and your private network. There are two options you can choose from—an AWS Direct Connect connection or a Site-to-Site AWS VPN connection.
AWS Identity and Access Management (IAM) in Athena
You use AWS IAM to control access to Athena. Here are the permissions required before users are allowed to run Athena queries:
- Permission to access Amazon S3 locations that Athena is required to query
- Permission to access metadata in AWS Glue Data Catalog and perform actions on encrypted data
- Permission to access operations in the Athena API
To deny or allow actions on Athena with IAM, you need to attach identity-based policies to principals like groups or users. Each identity-based policy contains statements that specify the actions that are either denied or allowed. Athena provides two managed policies:
- AmazonAthenaFullAccess—enables privileged users full access to Athena functionality. Use this role with care.
- AWSQuicksightAthenaAccess—provides access to certain actions required to enable integration between Amazon QuickSight and Athena.
You can also use customer-managed and inline identity-based policies. These options enable you to define detailed Athena actions within each policy and fine-tune the access granted or denied.
Logging and Monitoring in Athena
Amazon Athena provides the following options to detect events, receive notifications, and respond when they occur:
- Monitoring Athena usage with CloudTrail—you can use AWS CloudTrail to keep a record of actions performed by users, roles, or AWS services in Athena. Capture calls from the Athena console and encode Athena API actions into events. This provides visibility into requests to Athena, IP addresses that made the request, who made the request and when, and other details.
- Setting up dashboards with QuickSight—Amazon QuickSight is a business intelligence (BI) service that lets you easily create dashboards to analyze and explore your data. You can apply QuickSight to CloudTrail data to quickly set up dashboards for Athena monitoring activity.
- Monitoring events using CloudWatch—CloudWatch Events provides a near real-time stream of system events that describe changes in AWS resources. CloudWatch Events identifies and automatically responds to operational changes in Athena, for example by activating features, making changes, capturing status, or taking other corrective action. You can use CloudWatch Events in Athena by creating a rule that can be triggered on Athena API calls via CloudTrail.
- Using workgroups to monitor users, teams, or applications—view query-related metrics in Amazon CloudWatch for specific users or applications, set limits on the amount of data scanned, control query costs, create thresholds, and take actions such as sending Amazon SNS alarms when thresholds are exceeded.
Connecting to Amazon Athena Using an Interface VPC Endpoint
While it is possible to connect to Athena over the public Internet, a more secure alternative is to connect using AWS PrivateLink, an interface VPC endpoint accessible from within your Virtual Private Cloud (VPC).
The interface VPC endpoint does not use an Internet gateway, VPN connection, an AWS Direct Connect connection, or a NAT device. When you use a PrivateLink, communication between Athena and your VPC occurs exclusively through the AWS network.
Technically, a VPC endpoint consists of at least one Elastic Network Interface (ENIs). Each ENI has a private IP address in a subnet within your VPC. This means instances located in the VPC do not require a public IP address in order to communicate with the Athena API.
To use this type of connectivity, you need to use an instance located within the VPC. Alternatively, you can connect your private network to the VPC using AWS Direct Connect or the AWS VPN service.