Prerequisites
- By default, Athena authentication uses role-based access. You will need the trust policy prepopulated with our identifier to grant access. It should look similar to the following JSON object with a proper service account identifier:
Trust policy
1
Create a destination bucket, service policy, and role
Create Athena target bucket
Follow these steps to create a bucket to be used for staging data before transferring to a destination.- Navigate to the S3 service page.
- Click Create bucket.
- Enter a Bucket name, select an AWS Region, and modify any of the default settings as desired. Note: Object Ownership can be set to “ACLs disabled” and Block Public Access settings for this bucket can be set to “Block all public access” as recommended by AWS. Make note of the Bucket name and AWS Region.
- Click Create bucket.
Create Athena access policy
- Navigate to the IAM service page, click on the Policies navigation tab, and click Create policy.
- Click the JSON tab, and paste the following policy, being sure to replace
ACCOUNT_ID,WORKGROUP,BUCKET_NAMEandSCHEMAwith the your account information.WORKGROUPshould beprimaryunless otherwise specified during connection configuration.BUCKETshould refer to the bucket created in the previous step.SCHEMAused below does not need to be created ahead of time. If it does not exist, it will be created automatically before transferring data.
Access policy
KMS encryption (optional)If your S3 bucket uses KMS encryption (CMK), add the following statement to the Replace
Statement array of your IAM policy to allow data encryption/decryption with your KMS key. Encryption with SSE-C is not currently supported.KMS policy statement
REGION_NAME, ACCOUNT_ID, and KEY_ID with your values.Athena vs. S3 permissionsBecause Athena uses S3 as the underlying storage layer, the Resource access requested in the policy is scoped down via resource-specific permissions in the S3 actions.
- Click through to the Review step, choose a name for the policy, for example,
transfer-service-policy(this will be referenced in the next step), add a description, and click Create policy.
Create role
- IAM Role (recommended)
- HMAC Access Key ID & Secret Access Key
- Navigate to the IAM service page.
- Navigate to the Roles navigation tab, and click Create role.
- Select Custom trust policy and paste the provided trust policy (from the prerequisite) to allow AssumeRole access to this role. Click Next.
- Add the permissions policy created above, and click Next.
- Enter a Role name, for example,
transfer-role, and click Create role. - Once successfully created, search for the created role in the Roles list, click the role name, and make a note of the ARN value.
2
Add your destination
- Use the following details to complete the connection setup: database, schema, workgroup, bucket name, bucket region, and IAM Role ARN.
3
Data Management
Follow these guidelines to manage your new Athena tables effectively:The default setting is Replace
Optimize Iceberg queries
To optimize the performance of your Iceberg tables, use theOPTIMIZE command. This command reorganizes the data in a way that improves query efficiency. Execute the following query periodically:Optimize table
Set vacuum properties
Iceberg tables can accumulate snapshots over time, which can affect performance. To manage this, set the maximum age for snapshots that the vacuum process should retain:Set vacuum properties
432000 seconds, we recommend only updating this if you notice degrading performance.Perform time travel queries
Iceberg supports accessing historical data snapshots using time travel queries. This feature allows you to query the table as it appeared at a previous point in time, which is useful for audits and rollbacks:Time travel query
timestamp with the specific UNIX timestamp of the snapshot you wish to query.Permissions checklist
- IAM role trust policy allows the service to assume the role.
- IAM policy includes all Athena actions on the target workgroup ARN.
- IAM policy includes all Glue actions on the target catalog, database, and tables.
- IAM policy includes
s3:PutObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObject, s3:DeleteObjecton the staging bucket and its contents. - If using KMS encryption:
kms:GenerateDataKeyandkms:Decryptgranted on the key.
FAQ
How is the Athena connection secured?
How is the Athena connection secured?
We use IAM role-based authentication. We assume the IAM role you configure using short-lived credentials. No static access keys are required. All access is scoped to the permissions defined in the role’s IAM policy.
Why are Glue permissions required?
Why are Glue permissions required?
Athena uses the AWS Glue Data Catalog to store and manage table metadata. The Glue permissions allow the service to create and update table definitions as data is synced.
Do I need to pre-create the Glue database?
Do I need to pre-create the Glue database?
No. If the Glue database does not exist, it is created automatically before the first transfer. The
glue:CreateDatabase permission in the policy enables this. If you prefer to use an existing database, remove glue:CreateDatabase from the policy and provide the existing database name.