From bd081be6acc9e35fb6d3191fdbb48a84ccf0695d Mon Sep 17 00:00:00 2001 From: Iakov Gan Date: Tue, 17 Oct 2023 18:45:37 +0200 Subject: [PATCH] refactor permissions --- cfn-templates/cid-cfn.yml | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml index dcd72cdc..291d7dfd 100644 --- a/cfn-templates/cid-cfn.yml +++ b/cfn-templates/cid-cfn.yml @@ -1010,24 +1010,30 @@ Resources: Statement: - Effect: Allow Action: - - athena:ListDataCatalogs - lakeformation:GetDataAccess + - athena:ListDataCatalogs - athena:ListDatabases - athena:ListTableMetadata Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs - - Effect: Allow Action: - - athena:ListDatabases - - s3:PutObject - - s3:GetObject - - s3:ListBucket - - s3:GetBucketLocation - glue:GetPartitions - glue:GetDatabases - glue:GetTable - glue:GetTables + Resource: + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* + - Effect: Allow + Action: - athena:ListDatabases - athena:ListDataCatalogs - athena:ListDatabases @@ -1036,24 +1042,12 @@ Resources: - athena:StartQueryExecution - athena:GetQueryResultsStream - athena:ListTableMetadata - - s3:ListBucketVersions - Resource: - Fn::If: - NeedDatabase - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}' - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* - Fn::If: - NeedAthenaWorkgroup - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}'