1

I'm trying to query an S3 bucket using Athena but I am getting the following error:

Permission denied on S3 path: s3://BUCKET_NAME/LOGS_LOCATION This query ran against the "default" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: f72e7dbf-929c-4096-bd29-b55c6c41f582

This bucket is created through an organizational level CloudTrail (initiated in Root account) that deployed the bucket in our Logging account.

Here is the bucket policy in the logging account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<our bucket name>",
                "arn:aws:s3:::<our bucket name>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "AWSBucketPermissionsCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com",
                    "config.amazonaws.com"
                ]
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::<our bucket name>"
        },
        {
            "Sid": "AWSConfigBucketExistenceCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com",
                    "config.amazonaws.com"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<our bucket name>"
        },
        {
            "Sid": "AWSBucketDeliveryForConfig",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<our bucket name>/<prefix>/AWSLogs/*/*"
        },
        {
            "Sid": "AWSBucketDeliveryForOrganizationTrail",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::<our bucket name>/<prefix>/AWSLogs/<root account>/*",
                "arn:aws:s3:::<our bucket name>/<prefix>/AWSLogs/<prefix>/*"
            ]
        }
    ]
}

Here are the steps I followed:

First I created an Athena Table in our logging account (same account where the bucket is located), the Table is built from the same logging bucket. I then created a destination bucket for Athena.I ran a simple "preview table" query to test if everything works. This is when I got the above mentioned error. The S3 bucket mentioned in the error is the logging bucket, not the Athena destination bucket.

I am thinking it might be an issue with the logging bucket's policy, please advise.

Thanks in advance!

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Tegue Morrison
  • 21
  • 4
  • I don't see any statements allowing Athena access to your bucket – Amir Asyraf Jan 30 '23 at 10:16
  • @AmirAsyraf, noted, what would be the principal for this statement? "athena.amazonaws.com"? – Tegue Morrison Jan 30 '23 at 10:30
  • That's correct. – Amir Asyraf Jan 30 '23 at 12:03
  • @AmirAsyraf, could you please provide an example of how the statement should look to allow Athena access to the bucket? I have tried using a simple allow if the principal is "athena.amazonaws.com" but I get the "Invalid Principal" error, TIA. – Tegue Morrison Jan 30 '23 at 15:03
  • When running a query in Amazon Athena, it will use the credentials of the user who requested the query (you!). Thus, you will need to have sufficient permissions to access the objects in the source bucket. If the log bucket is in a different AWS Account, then that bucket will require a Bucket Policy that grants you access to the objects. Also, if the objects are encrypted with KMS, you will also need permission to use the KMS key to decrypt the objects. – John Rotenstein Jan 31 '23 at 01:51
  • When using Amazon Athena, are you logged into the same AWS Account as the bucket with the data? – John Rotenstein Jan 31 '23 at 01:52
  • Sorry @TegueMorrison . As John has mentioned above, you don't need to add athena principal. Your policy should allow your **current** user access to the S3 bucket. – Amir Asyraf Jan 31 '23 at 05:43

0 Answers0