##++++++++++++++++++++++++++++++++++++++++++++## # datalake # - s3 # - athena # - lakeformation ##++++++++++++++++++++++++++++++++++++++++++++## statements: - Sid: BasicS3NoResourceAccess Effect: Allow Action: - 's3:GetAccessPoint' - 's3:GetAccountPublicAccessBlock' - 's3:ListAccessPoints' - 's3:ListAccessPointsForObjectLambda' - 's3:ListAllMyBuckets' - 's3:ListJobs' - 's3:ListMultiRegionAccessPoints' - 's3:ListStorageLensConfigurations' Resource: '*' - Sid: AthenaNoResource Effect: Allow Action: - 'athena:ListDataCatalogs' - 'athena:ListEngineVersions' - 'athena:ListWorkGroups' - 'athena:ListCapacityReservations' - 'athena:ListApplicationDPUSizes' - 'athena:ListExecutors' Resource: '*' - Sid: BasicAthenaAccessForDefaultCatalog Effect: Allow Action: - 'athena:ListDatabases' - 'athena:GetDataCatalog' Resource: 'arn:aws:athena:*:*:datacatalog/AwsDataCatalog' # TODO: Restrict to region/account - Sid: LakeFormationNoResourceReadAccess Effect: Allow Action: - 'lakeformation:DescribeResource' # Grants permission to describe a registered location - 'lakeformation:DescribeTransaction' # Grants permission to get status of the given transaction - 'lakeformation:GetDataCellsFilter' # Grants permission to retrieve a Lake Formation data cell filter - 'lakeformation:GetDataLakeSettings' # Grants permission to retrieve data lake settings such as the list of data lake administrators and database and table default permissions - 'lakeformation:GetEffectivePermissionsForPath' # Grants permission to retrieve permissions attached to resources in the given path - 'lakeformation:GetLFTag' # Grants permission to retrieve a Lake Formation tag - 'lakeformation:GetQueryState' # Grants permission to retrieve the state of the given query - 'lakeformation:GetQueryStatistics' # Grants permission to retrieve the statistics for the given query - 'lakeformation:GetResourceLFTags' # Grants permission to retrieve lakeformation tags on a catalog resource - 'lakeformation:GetTableObjects' # Grants permission to retrieve objects from a table - 'lakeformation:GetWorkUnitResults' # Grants permission to retrieve the results for the given work units - 'lakeformation:GetWorkUnits' # Grants permission to retrieve the work units for the given query - 'lakeformation:ListDataCellsFilter' # Grants permission to list cell filters - 'lakeformation:ListLFTags' # Grants permission to list Lake Formation tags - 'lakeformation:ListLakeFormationOptIns' # Retrieve the current list of resources and principals that are opt in to enforce Lake Formation permissions - 'lakeformation:ListPermissions' # Grants permission to list permissions filtered by principal or resource - 'lakeformation:ListResources' # Grants permission to List registered locations - 'lakeformation:ListTableStorageOptimizers' # Grants permission to list all the storage optimizers for the Governed table - 'lakeformation:ListTransactions' # Grants permission to list all transactions in the system - 'lakeformation:SearchDatabasesByLFTags' # Grants permission to list catalog databases with Lake Formation tags - 'lakeformation:SearchTablesByLFTags' # Grants permission to list catalog tables with Lake Formation tags Resource: '*' - Sid: BasicLfDataAccess Action: 'lakeformation:GetDataAccess' Resource: '*' Effect: Allow suppressions: - id: "AwsSolutions-IAM5" reason: "- Above s3 Policy actions do not require Resource! - Above Athena Policy actions do not require Resource! - AWS Lake Formation does not support specifying a resource ARN in the Resource element of an IAM policy statement"