site-logo

JAWS PANKRATION 2024

site-logo
HomeNewsTimetableCfPCommitteePromotionFollow UpPrivacy Policy

Restricting S3 Bucket Policies for Inbound Traffic from Athena

Lv200

Lv200

2024/8/24 21:20 (JST)
セッション情報

In this session, we explore how to analyze S3 bucket data using Athena, specifically for buckets restricted to access from a designated VPC.

The analysis environment and data storage are in separate accounts, and S3 access from the specific VPC is through a Gateway endpoint.

Athena is used for analyzing S3 server access logs, with internet access facilitated via a NAT Gateway.

 

# Bucket Policy: Methods to Control Athena Traffic

## Option 1: Control by Global IP (Adopted)

Using global IP control, we ensured that access is restricted to the VPC.

 

## Option 2: Control Athena Traffic with "aws

Condition Key" (Not Adopted)

This method failed to enforce IP restrictions, requiring IAM user-based control, which increases operational burden. Hence, it was not adopted.

 

### Unsuccessful Method

Using VPC ID or VPC Endpoint ID in the bucket policy for Athena control was not feasible.

Tatsuya Sato

Tatsuya Sato

- AWS All Certified Engineers(APN) -

セッションカテゴリ
Analysis
Security
Identity and compliance
関連AWSサービス
S3,Athena
セッション資料
セッションアーカイブ
セッションサマリ(by Amazon Bedrock)
    Satoshi Tatsuya from Iret Inc. presents on restricting Athena communication with S3 bucket policies. He explores four methods to control access: 1. VPC ID 2. VPC Endpoint ID 3. Global IP 4. IAM User/Role The setup involves multiple AWS accounts: one for analysis (EC2) and another for data lake (S3 bucket). The goal is to allow communication only from a specific VPC. Key findings: 1. VPC ID and VPC Endpoint ID controls were ineffective. 2. Global IP control is possible at the VPC level using NAT Gateway IP addresses. 3. AWS CalledVia context key allows all Athena communications, which is too broad for the requirements. 4. IAM User/Role control offers resource-level restrictions and IP limitations through IAM policies. The presenter concludes that Global IP and IAM User/Role controls are the most suitable options. IAM provides the most granular control but requires additional IAM policy configurations and may increase operational overhead when frequently updating S3 bucket policies for new IAM users/roles. Global IP control offers the least operational burden while limiting access to a specific VPC, making it the preferred method in this case. However, the choice depends on specific requirements, risk tolerance, and cost considerations. The key takeaway is the importance of clearly defining requirements before implementing access controls, as different methods have varying levels of granularity and operational implications.

戻る

©JAWS-UG (AWS User Group - Japan). All rights reserved.