in lib/constructs/data-lake-enrollment.ts [53:253]
public createCoarseIamPolicy(){
const s3Policy = {
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Resource": [
`arn:aws:s3:::${this.DataEnrollment.DataLakeBucketName}`,
`arn:aws:s3:::${this.DataEnrollment.DataLakeBucketName}${this.DataEnrollment.DataLakePrefix}*`
],
"Effect": "Allow"
};
const s3PolicyStatement = iam.PolicyStatement.fromJson(s3Policy);
const gluePolicy = {
"Action": [
"glue:GetDatabase",
"glue:GetTable",
],
"Resource": [
`arn:aws:glue:${Stack.of(this).region}:${Stack.of(this).account}:catalog`,
`arn:aws:glue:${Stack.of(this).region}:${Stack.of(this).account}:database/default`,
`arn:aws:glue:${Stack.of(this).region}:${Stack.of(this).account}:database/${this.DataEnrollment.Dataset_DatalakeDatabaseName}`,
`arn:aws:glue:${Stack.of(this).region}:${Stack.of(this).account}:table/${this.DataEnrollment.Dataset_DatalakeDatabaseName}/*`
],
"Effect": "Allow"
};
const gluePolicyStatement = iam.PolicyStatement.fromJson(gluePolicy);
const athenaPolicy = {
"Action": [
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetWorkGroup",
"athena:ListTagsForResource",
"athena:StartQueryExecution"
],
"Resource": [
`arn:aws:athena:${Stack.of(this).region}:${Stack.of(this).account}:*`
],
"Effect": "Allow"
};
const athenaPolicyStatement = iam.PolicyStatement.fromJson(athenaPolicy);
//https://docs.aws.amazon.com/lake-formation/latest/dg/cloudtrail-tut-create-lf-user.html
const lakeFormationPolicy = {
"Effect": "Allow",
"Action": [
"lakeformation:GetDataAccess",
"glue:GetTable",
"glue:GetTables",
"glue:SearchTables",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetPartitions"
],
"Resource": "*"
};
const coarseLakeFormationPolicy = iam.PolicyStatement.fromJson(lakeFormationPolicy);
const policyParams = {
policyName: `${this.DataSetName}-coarseIamDataLakeAccessPolicy`,
statements: [
s3PolicyStatement,
gluePolicyStatement,
athenaPolicyStatement,
coarseLakeFormationPolicy
]
}
this.CoarseResourceAccessPolicy = new iam.ManagedPolicy(this, `${this.DataSetName}-coarseIamDataLakeAccessPolicy`, policyParams );
// This is effectively the same as the AWS Managed Policy AthenaFullAccess
const coarseAthenaAccess = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::athena-examples*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:DeleteAlarms"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lakeformation:GetDataAccess"
],
"Resource": [
"*"
]
}
]
};
const coarseAthenaAccessPolicyDoc = iam.PolicyDocument.fromJson(coarseAthenaAccess);
this.CoarseAthenaAccessPolicy = new iam.ManagedPolicy(this, `${this.DataSetName}-coarseIamAthenaAccessPolicy`, {
document: coarseAthenaAccessPolicyDoc,
description: `${this.DataSetName}-coarseIamAthenaAccessPolicy`,
});
}