AWS Athena Guide (Beta)
It only takes a few minutes to get started with Satori. What you need is:
- Access to Satori's management console.
- The AWS region where your Athena data is hosted, for example:
us-east-1for AWS in N. Virginia.
Adding an AWS Athena Data Store to Satori
- Login to Satori's management console at https://app.satoricyber.com.
- In the Data Stores view, select Add Data Store.
- Select the AWS Athena option.
- Enter an informative name for the data store, for example: Sales Data Warehouse.
- Select the AWS region where your data is hosted, for example:
- Click Create. You will be redirected to the Data Stores list.
Connect to AWS Athena via Satori
To connect to AWS Athena using Satori use the Satori hostname that was generated by the management console which can be found under Satori Hostname in the data store settings view, for example:
Authenticating with AWS Credentials
AWS Athena uses a different authentication scheme than most other databases - the client does not send the password to the server on the HTTP request, to be checked by the server. Instead, the client uses the password to cryptographically sign the HTTP request and the server checks that signature.
To support this authentication scheme, Satori needs to re-sign the HTTP request before it sends it to Athena using the credentials of the user.
To send the user credentials to Satori, concatenate the AWS_SECRET_KEY to the AWS_ACCESS_KEY as follows:
The AWS_SECRET_KEY is being transmitted from the client to Satori over a TLS-encrypted connection, and is not stored or logged by Satori in any way. However, since some client tools may not consider the AWS_ACCESS_KEY parameter as a secret like AWS_SECRET_KEY, it is advised to avoid specifying it explicitly in connection parameters and use alternative methods like environment variables, reading it from a file or from a password manager.
Connecting with the JDBC driver
To connect with the JDBC driver, override or add the following parameters in the JDBC URL:
Connecting with Python
To connect with Python, set the
endpoint_url argument to the
client function, and the AWS credentials as described above. For example:
client = boto3.client(service_name='athena', region_name='us-east-1', endpoint_url="https://abc123.us-east-1.a.p0.satoricyber.net", aws_access_key_id="AKIAYC5GYL27Q4ZE5H4L|CbfbaJJiszfBxkWkNFgvzx3GPx3t3bye49Jzu5f3", aws_secret_access_key="CbfbaJJiszfBxkWkNFgvzx3GPx3t3bye49Jzu5f3")
Network Policy Settings
Satori provides you with the ability to define your network security policy for your data store.
Simply, specify which IP addresses and subnet masks should be allowed access to the Data Store and which IP addresses and subnet masks should be blocked. Note that by default, Satori allows all IP address ranges if you leave the form empty.
To allow all IP addresses leave the form empty.
To block specific IP addresses add them to the blocked IP address list.
To only allow access to specific IP addresses add them to the allow list. Note: Access from all ohter IP addresses ware blocked.
To allow access from a specific IP address range while blocking parts of the range add the IP range to the list of allowed IP addreses and add the IP address that you wish to block to the Block list.