k9 Security now summarizes principals’ access to the Athena APIs and reports whether IAM principals may administer Athena data catalog configurations and read or write data through Athena. Amazon Athena is a serverless interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

If you’re wondering which IAM principals can administer or access data through Athena, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Athena APIs and maps each principal’s access to a k9 access capability.

Here’s an example of how Athena access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

k9 Principal Access Summary for Athena

This example shows the ci IAM user has full access to Athena APIs: administer-resource, read-config, read-data, and write-data. Source data cannot be deleted through Athena, so no delete-data capability is shown. The k9-auditor role has only the read-config capability for Athena APIs, allowing it to read Athena configuration metadata.

The Amazon Athena API currently has 29 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how Athena compares to other AWS data and security APIs:

k9 AWS Service Analysis Summary

Amazon Athena provides a quick and cost-effective way to analyze data in S3. Manage risk of data breaches from data analysis functions by continuously reviewing and adjusting access to Athena and S3.

We hope k9’s new Athena analysis capabilities help you identify which IAM users and roles can administer Athena and access data in your AWS accounts. We are happy to answer any questions!