AWS Athena

To integrate Amazon Athena with Dot securely and efficiently, follow these steps to establish a connection, configure IAM permissions, and restrict access to specific Athena workgroups.

1. Create a Dedicated IAM User for Dot

For enhanced security, it's advisable to create a dedicated IAM user for Dot with permissions limited to the necessary Athena resources.

• Create the IAM User:

  • Sign in to the AWS Management Console.

  • Navigate to the IAM service.

  • Select "Users" and then "Add user".

  • Enter a username (e.g., dot_athena_user).

  • Choose "Programmatic access" to provide access via the AWS CLI, SDKs, or APIs.

• Attach Policies:

  • Select "Attach existing policies directly".

  • Attach the AmazonAthenaFullAccess managed policy to grant full access to Athena.

  • Attach the AWSGlueConsoleFullAccess policy to allow access to the AWS Glue Data Catalog, which Athena uses for metadata.

  • Ensure the user has the necessary permissions to access the relevant Amazon S3 buckets where your data resides.

• Complete User Creation:

  • Review the permissions and create the user.

2. Optinonally restrict IAM Permissions to Specific Athena Workgroups

To enhance security, you can limit the IAM user's permissions to specific Athena workgroups. This ensures Dot accesses only the intended resources.

• Define the Policy:

  • Create a custom IAM policy that grants permissions solely to the desired workgroups.

  • Specify the workgroup ARNs in the policy's Resource section.

• Example Policy:

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "athena:StartQueryExecution",
          "athena:StopQueryExecution",
          "athena:GetQueryExecution",
          "athena:GetQueryResults"
        ],
        "Resource": [
          "arn:aws:athena:us-east-1:123456789012:workgroup/your_workgroup_name"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "glue:GetDatabase",
          "glue:GetTable",
          "glue:GetPartitions"
        ],
        "Resource": "*"
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:GetObject",
          "s3:ListBucket"
        ],
        "Resource": [
          "arn:aws:s3:::your_bucket_name",
          "arn:aws:s3:::your_bucket_name/*"
        ]
      }
    ]
  }

 Replace your_workgroup_name with the name of your Athena workgroup and your_bucket_name with your S3 bucket name.

• Attach the Policy:

  • Navigate to the IAM console.

  • Select "Policies" and then "Create policy".

  • Use the JSON editor to input your custom policy.

  • Review and create the policy.

  • Attach this policy to the IAM user created for Dot.

For more details on controlling workgroup access with IAM policies, refer to the AWS Athena documentation.

3. Configure Network Access

Ensure that Dot can communicate with Athena by allowing outbound access to the following IP addresses, especially if your organization uses a firewall or network policies:

• 3.229.110.216

• 3.122.135.165

4. Obtain the Access Key ID and Secret Access Key

After creating the IAM user, generate the access keys required for programmatic access:

• Generate Access Keys via AWS Management Console:

  • In the IAM console, select "Users" and click on the username you created (e.g., dot_athena_user).

  • Navigate to the "Security credentials" tab.

  • In the "Access keys" section, click "Create access key".

  • Choose the appropriate use case (e.g., "Command Line Interface (CLI)") and click "Next".

  • Optionally, add a description tag for the access key, then click "Create access key".

  • The Access Key ID and Secret Access Key will be displayed. This is the only time the Secret Access Key will be available, so ensure you securely store it, either by downloading the .csv file or copying the keys to a secure location.

5. Connect Dot to Amazon Athena

With the IAM user and network configurations in place, proceed to connect Dot to Athena:

• Navigate to Dot's integration settings.

• Select "Add Integration" and choose Amazon Athena from the list of available data sources.

• Enter the Access Key ID and Secret Access Key of the IAM user created earlier.

• Specify the AWS region where your Athena instance is located.

• Provide any additional configuration details as prompted by Dot.

By following these steps, Dot will establish a secure connection to Amazon Athena, enabling efficient data access while adhering to security best practices.