how to ensure that Athena result S3 object with bucket-owner-full-control

Question

We(account A) would like to use programmatically way to trigger athena query(startQueryExecution) in different aws account ( Account B), we use assumed role to achieve it. After athena query done, we are expecting that result should be written to our aws account s3 bucket (Account A). We managed to do so by setting both side IAM policy to allow B to write to A's S3 bucket.

However, it seemed S3 object in account A is still owned by Account B, user/role in account A has no access to those object.

I was thinking either ways to fix this, but I can not find any example of how to do either

somehow make sure athena writing to s3 with acl = bucket-owner-full-control somehow change s3 object acl to bucket-owner-full-control after object created

Any idea?

Answer 1

@user273098 curious to see how you figured out the answer

Athena currently does not give the ability to specify the ACL. However, two workaround is possible

1. Instead of having account A assume a role in Account B, have Account B grant account A's account root/role with access to Account B's Athena. Then Account A can use its own role/account to query data in Account B, and the results can still be accessed by Account A because Account A is the object owner.

2. Have a S3 streaming lambda listening to the output S3 bucket. Once the object comes in, use SetObjectACL to grant bucket-owner-full-control on the object.

Answer 2

As of now there is no direct way to give access to the s3 files written in Account A. One way we are solving this problem is writing the s3 file in Account B bucket and have a policy that gives access to Account A access to Account B s3 bucket and then read/process the files. Very hacky but works