From 6e49e81792985cd0080fcaf79fbf785dbe020a9e Mon Sep 17 00:00:00 2001 From: vmindru Date: Thu, 12 Oct 2023 17:11:38 +0200 Subject: [PATCH 1/2] Fixing missing permissions for proper QS functioning after deploy --- cfn-templates/cid-cfn.yml | 99 +++++++++++++++++++-------------------- 1 file changed, 48 insertions(+), 51 deletions(-) diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml index cab59cba..dcd72cdc 100644 --- a/cfn-templates/cid-cfn.yml +++ b/cfn-templates/cid-cfn.yml @@ -1011,74 +1011,71 @@ Resources: - Effect: Allow Action: - athena:ListDataCatalogs - Resource: '*' # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs + - lakeformation:GetDataAccess + - athena:ListDatabases + - athena:ListTableMetadata + Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html + # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs - Effect: Allow Action: - athena:ListDatabases - Resource: - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - # - Effect: Allow - # Action: - # - athena:ListDatabases - # - athena:ListTableMetadata - # Resource: - # - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}' - - Effect: Allow - Action: + - s3:PutObject + - s3:GetObject + - s3:ListBucket + - s3:GetBucketLocation + - glue:GetPartitions - glue:GetDatabases - Resource: - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - Effect: Allow - Action: - glue:GetTable - - glue:GetPartitions - Resource: - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* - - Effect: Allow - Action: + - glue:GetTables + - athena:ListDatabases + - athena:ListDataCatalogs + - athena:ListDatabases - athena:GetQueryExecution + - athena:GetQueryResults - athena:StartQueryExecution - athena:GetQueryResultsStream - - athena:GetQueryResults + - athena:ListTableMetadata + - s3:ListBucketVersions + Resource: - Fn::If: - - NeedAthenaWorkgroup - - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}' - - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${AthenaWorkgroup}' + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} + - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* + - Fn::If: + - NeedAthenaWorkgroup + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}' + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${AthenaWorkgroup}' - Effect: Allow Action: - s3:GetBucketLocation - s3:ListBucket - Resource: - Fn::If: - - NeedAthenaQueryResultsBucket - - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}' - - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}' - - Effect: Allow - Action: - s3:GetObject - s3:PutObject + - s3:ListBucketMultipartUploads + - s3:ListMultipartUploadParts + - s3:AbortMultipartUpload Resource: - Fn::If: - - NeedAthenaQueryResultsBucket - - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}/*' - - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}/*' - - Effect: Allow - Action: - - lakeformation:GetDataAccess - Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html + - Fn::If: + - NeedAthenaQueryResultsBucket + - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}' + - Fn::If: + - NeedAthenaQueryResultsBucket + - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}/*' QuickSightDataSourceRolePolicyForODCBucket: Type: AWS::IAM::Policy From bd081be6acc9e35fb6d3191fdbb48a84ccf0695d Mon Sep 17 00:00:00 2001 From: Iakov Gan Date: Tue, 17 Oct 2023 18:45:37 +0200 Subject: [PATCH 2/2] refactor permissions --- cfn-templates/cid-cfn.yml | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml index dcd72cdc..291d7dfd 100644 --- a/cfn-templates/cid-cfn.yml +++ b/cfn-templates/cid-cfn.yml @@ -1010,24 +1010,30 @@ Resources: Statement: - Effect: Allow Action: - - athena:ListDataCatalogs - lakeformation:GetDataAccess + - athena:ListDataCatalogs - athena:ListDatabases - athena:ListTableMetadata Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs - - Effect: Allow Action: - - athena:ListDatabases - - s3:PutObject - - s3:GetObject - - s3:ListBucket - - s3:GetBucketLocation - glue:GetPartitions - glue:GetDatabases - glue:GetTable - glue:GetTables + Resource: + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* + - Effect: Allow + Action: - athena:ListDatabases - athena:ListDataCatalogs - athena:ListDatabases @@ -1036,24 +1042,12 @@ Resources: - athena:StartQueryExecution - athena:GetQueryResultsStream - athena:ListTableMetadata - - s3:ListBucketVersions - Resource: - Fn::If: - NeedDatabase - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}' - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* - Fn::If: - NeedAthenaWorkgroup - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}'