Posted On: Mar 2, 2020

AWS Identity and Access Management (IAM) has added support for aws:CalledVia, a new condition key, for use with all services that make requests using your credentials. With this release, Amazon Athena has added support for the CalledVia key. 

When you submit a query to Athena that scans data from Amazon S3, Athena reads the required data from S3 to execute your query on your behalf using SSL encryption. Security conscious customers prefer to apply restrictive policies on their S3 buckets, for example, policy to allow data read access to only whitelisted IP addresses. Previously, there was no way to specify access for Athena in the restrictive S3 bucket policy. Thus Athena queries that needed to scan data from such S3 buckets failed. With this release, you can now easily use the aws:CalledVia key in addition to your existing bucket policy to allow Athena to scan data in your S3 bucket and execute your query on your behalf. 

For more information about IAM’s new CalledVia key, please refer to our documentation. The following blog post highlights how you can use the aws:CalledVia key to specify distinct permissions that allow Athena to access and scan data from S3 on your behalf.