Teleskope needs write access take enforce remediation policies such as tagging, redaction, deletion, etc.
Attach the AmazonAthenaFullAccess to the Teleskope IAM role you created.
resource "aws_iam_role_policy_attachment" "AmazonAthenaFullAccess" {
role = "TeleskopeRole"
policy_arn = "arn:aws:iam::aws:policy/AmazonAthenaFullAccess"
}
Teleskope needs read access to scan and classify your data stored in Athena.
Attach a custom AmazonAthenaReadOnlyAccess to the Teleskope IAM role you created.
resource "aws_iam_role_policy_attachment" "sns_policy" {
role = "TeleskopeRole"
policy_arn = "arn:aws:iam::aws:policy/AmazonAthenaReadOnlyAccess"
}
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AthenaReadOnlyPermissions",
"Effect" : "Allow",
"Action" : [
"athena:*"
],
"Resource" : [
"*"
]
},
{
"Sid" : "BaseGluePermissions",
"Effect" : "Allow",
"Action" : [
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition",
"glue:StartColumnStatisticsTaskRun",
"glue:GetColumnStatisticsTaskRun",
"glue:GetColumnStatisticsTaskRuns"
],
"Resource" : [
"*"
]
},
{
"Sid" : "BaseQueryResultsPermissions",
"Effect" : "Allow",
"Action" : [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
],
"Resource" : [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Sid" : "BaseAthenaExamplesPermissions",
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:ListBucket"
],
"Resource" : [
"arn:aws:s3:::athena-examples*"
]
},
{
"Sid" : "BaseS3BucketPermissions",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource" : [
"*"
]
},
{
"Sid" : "BaseSNSPermissions",
"Effect" : "Allow",
"Action" : [
"sns:ListTopics",
"sns:GetTopicAttributes"
],
"Resource" : [
"*"
]
},
{
"Sid" : "BaseLakeFormationPermissions",
"Effect" : "Allow",
"Action" : [
"lakeformation:GetDataAccess"
],
"Resource" : [
"*"
]
},
{
"Sid" : "BaseDataZonePermissions",
"Effect" : "Allow",
"Action" : [
"datazone:ListDomains",
"datazone:ListProjects",
"datazone:ListAccountEnvironments"
],
"Resource" : [
"*"
]
},
{
"Sid" : "BasePricingPermissions",
"Effect" : "Allow",
"Action" : [
"pricing:GetProducts"
],
"Resource" : [
"*"
]
}
]
}