Skip to content

AWS Athena Guide (Beta)

Screenshot

Satori streamlines and simplifies the process of controlling access to data in AWS Athena. Satori reduces the risk of data leakage by misconfiguring users or permissions. When using Satori to deliver access to data in AWS Athena, organizations provision a single set of AWS credentials that are only used by the Satori DAC to access AWS Athena. Satori generates temporary credentials for data consumers instead of their existing AWS credentials. The benefits of this approach are as follows:

  1. There is no need to create an AWS IAM user for each data consumer, which reduces the risk of granting access to AWS resources users do not need.
  2. There is no need to grant users direct access to data in S3, which reduces the risk of data leakage by users downloading data directly from buckets.

Prerequisites

Perform the following steps to grant Satori access to AWS Athena.

Step 1: Create an IAM Policy for Satori

The IAM policy used by the Satori AWS user should be configured with read access to any S3 bucket where data that should be queried via AWS Athena is stored, as well as read and write access to any S3 bucket used for storing query result sets (S3 Output Location). For maximum security. The policy should limit access to S3 only via AWS Athena and the Satori DAC IP addresses. See an example policy JSON below. For more information read the AWS documentation.

This is an example of an IAM policy you can use as a starting point to create your own IAM policy:

  • Replace the bucket names with your buckets
  • Replace the IP addresses to the IP addresses of the DAC

Perform the following§ steps to create the IAM policy for Satori:

  1. Go to AWS IAM
  2. Click on Policies and select Create Policy
  3. Click on the JSON tab and paste the JSON policy file you prepared.
  4. Complete the policy creation process and name your policy, for example: satori_athena_policy.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VerifyRelevantBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::satori-athena-user-test",
                "arn:aws:s3:::satori-athena-results"
            ],
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.1",
                        "2.2.2.2",
                        "3.3.3.3"
                    ]
                }
            }
        },
        {
            "Sid": "ReadFromSourceBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::satori-athena-user-test/*"
            ],
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.1",
                        "2.2.2.2",
                        "3.3.3.3"
                    ]
                }
            }
        },
        {
            "Sid": "WriteToOutputBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::satori-athena-results/*"
            ]
        },
        {
            "Sid": "ReadFromOutputBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::satori-athena-results/*"
            ],
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.1",
                        "2.2.2.2",
                        "3.3.3.3"
                    ]
                }
            }
        },
        {
            "Sid": "AthenaAccess",
            "Effect":"Allow",
            "Action":[
                "athena:BatchGetNamedQuery",
                "athena:BatchGetQueryExecution",
                "athena:CreateNamedQuery",
                "athena:DeleteNamedQuery",
                "athena:GetDatabase",
                "athena:GetNamedQuery",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetQueryResultsStream",
                "athena:GetTableMetadata",
                "athena:GetWorkGroup",
                "athena:ListDataCatalogs",
                "athena:ListDatabases",
                "athena:ListNamedQueries",
                "athena:ListQueryExecutions",
                "athena:ListTableMetadata",
                "athena:ListWorkGroups",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetTable",
                "glue:GetTables"
            ],
            "Resource":[
                "*"
            ],
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.1",
                        "2.2.2.2",
                        "3.3.3.3"
                    ]
                }
            }
        }
    ]
}

Step 2: Create an IAM User for Satori

  1. Go to AWS IAM.
  2. Click on Users and select Add Users.
  3. Enter satori_athena_user in the Username input field and check the Access key - Programmatic access checkbox.
  4. Select Attach Existing Policy and search for the policy created in the previous step.
  5. Now, attach the policy to the user.
  6. In the last step of the process, copy the AWS Access Key ID and Secret Access Key.

Adding an AWS Athena Data Store to Satori

  1. Login to the Satori management console https://app.satoricyber.com.
  2. Go to the Data Stores view and click the Add Data Store button.
  3. Select the AWS Athena option.
  4. Provide an informative name for the data store, for example: Sales Data Warehouse.
  5. Select the AWS region where your data is hosted, for example: us-east-1.
  6. Select the Data Access Controller to use for accessing the data store.
  7. Enter the AWS account ID for the Athena data store.
  8. Enter the AWS Access Key ID and Secret Access Key you copied in the previous step.
  9. Click the Create button. Satori will then validate that the credentials and AWS Account ID match and you will then be redirected to the Data Stores list.

Connect to AWS Athena via Satori

Satori provides two options for obtaining credentials to connect to AWS Athena, for two specifc use-cases:

  1. User-specific Temporary Credentials - Each user can generate personal credentials from the Satori Data Portal. In this option, SATORI_USERNAME and SATORI_PASSWORD shown in the example below refer to the generated username and password.
  2. Service Account Credentials - Use the DAC Access Token credentials located in the management console. Go to the Satori setting and select the User management view, then click the DAC Access Token tab. In this option, the SATORI_USERNAME refers to the real username connected to the BI tool and the SATORI_PASSWORD refers to the Token value of the DAC Access Token. For more information see the Integration with BI Tools section.

Connecting with the JDBC driver

To connect with the JDBC driver, override or add the following parameters in the JDBC URL:

  • EndpointOverride=<Satori Hostname>:443
  • UseResultsetStreaming=0
  • User=<SATORI_USERNAME>
  • Password=<SATORI_PASSWORD>

For example:

jdbc:awsathena://AwsRegion=us-east-1;EndpointOverride=abc123.us-east-1.a.p0.satoricyber.net:443;UseResultsetStreaming=0;User=eddievh;Password=Jump1984!;...

Connecting with Looker

To connect with Looker to Satori using service account credentials update the following parameters:

  • Username: select the Email option.
  • Password: copy the UUID Token value for your DAC Access Token, for example: befdcb5b-e1b3-49e8-84d8-093116c9daf5.
  • Additional Params: add the EndpointOverride and UseResultStreaming parameters, for example: AwsRegion=us-east-1;S3OutputLocation=s3://athena-output;EndPointOverride=athena-prod.us-east-1.a.p0.satoricyber.net;UseResultsetStreaming=0

Connecting with Python

To connect with Python, set the endpoint_url argument to the client function, and the AWS credentials as described above. For example:

client = boto3.client(service_name='athena', region_name='us-east-1',
  endpoint_url="https://abc123.us-east-1.a.p0.satoricyber.net",
  aws_access_key_id="<SATORI_USERNAME>",
  aws_secret_access_key="<SATORI_PASSWORD>")

Connecting with the AWS Command Line

To connect with the AWS command line, first create a profile using your personal credentials. For example:

export AWS_ACCESS_KEY_ID="eddievh"
export AWS_SECRET_ACCESS_KEY="Jump1984!"

Then add the endpoint-url parameter to your aws athena command with the Satori hostname for the data store. For example: aws athena start-query-execution --query-string "select 1" --region us-east-1 --result-configuration '{ "OutputLocation": "s3://athena-output"}' --endpoint-url https://athena-prod.us-east-1.a.p0.satoricyber.net.

Network Policy Settings

Satori provides you with the ability to define your network security policy for your data store.

Screenshot

Simply, specify which IP addresses and subnet masks should be allowed access to the Data Store and which IP addresses and subnet masks should be blocked. Note that by default, Satori allows all IP address ranges if you leave the form empty.

Example 1

To allow all IP addresses - Leave the form empty. Screenshot

Example 2

To block specific IP addresses - Add them to the blocked IP address list. Screenshot

Example 3

To only allow access to specific IP addresses - Add them to the allow list. Note: Access from all other IP addresses ware blocked. Screenshot

Example 4

To allow access from a specific IP address range while blocking parts of the range - Add the IP range to the list of allowed IP addresses and add the IP address that you wish to block to the Block list. Screenshot