diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml index cab59cba..dcd72cdc 100644 --- a/cfn-templates/cid-cfn.yml +++ b/cfn-templates/cid-cfn.yml @@ -1011,74 +1011,71 @@ Resources: - Effect: Allow Action: - athena:ListDataCatalogs - Resource: '*' # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs + - lakeformation:GetDataAccess + - athena:ListDatabases + - athena:ListTableMetadata + Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html + # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs - Effect: Allow Action: - athena:ListDatabases - Resource: - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - # - Effect: Allow - # Action: - # - athena:ListDatabases - # - athena:ListTableMetadata - # Resource: - # - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}' - - Effect: Allow - Action: + - s3:PutObject + - s3:GetObject + - s3:ListBucket + - s3:GetBucketLocation + - glue:GetPartitions - glue:GetDatabases - Resource: - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - Effect: Allow - Action: - glue:GetTable - - glue:GetPartitions - Resource: - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* - - Effect: Allow - Action: + - glue:GetTables + - athena:ListDatabases + - athena:ListDataCatalogs + - athena:ListDatabases - athena:GetQueryExecution + - athena:GetQueryResults - athena:StartQueryExecution - athena:GetQueryResultsStream - - athena:GetQueryResults + - athena:ListTableMetadata + - s3:ListBucketVersions + Resource: - Fn::If: - - NeedAthenaWorkgroup - - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}' - - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${AthenaWorkgroup}' + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} + - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* + - Fn::If: + - NeedAthenaWorkgroup + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}' + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${AthenaWorkgroup}' - Effect: Allow Action: - s3:GetBucketLocation - s3:ListBucket - Resource: - Fn::If: - - NeedAthenaQueryResultsBucket - - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}' - - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}' - - Effect: Allow - Action: - s3:GetObject - s3:PutObject + - s3:ListBucketMultipartUploads + - s3:ListMultipartUploadParts + - s3:AbortMultipartUpload Resource: - Fn::If: - - NeedAthenaQueryResultsBucket - - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}/*' - - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}/*' - - Effect: Allow - Action: - - lakeformation:GetDataAccess - Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html + - Fn::If: + - NeedAthenaQueryResultsBucket + - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}' + - Fn::If: + - NeedAthenaQueryResultsBucket + - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}/*' QuickSightDataSourceRolePolicyForODCBucket: Type: AWS::IAM::Policy