<< Click to Display Table of Contents >> Raynet One Data Hub > 14.0 > Connectors > Alphabetic Connector List > Amazon Athena > Prerequisites  Best Practice Configuration

By default, IAM users and roles do not have permissions to create or modify Amazon S3 resources. They also cannot perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users or roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.

 

Roles are assumed by users, applications, and services. The access for roles is short-term and will be renewed automatically. Instead of creating and distributing AWS user credentials, it is possible to use IAM roles to delegate permissions for API requests as follows:

 

1.Create an IAM role.

2.Define which accounts or AWS services can accept the roles.

3.Define which API actions and resources the application can use after accepting the role.

4.Specify the role when the instance is started or associate the role with an existing instance.

5.Let the application retrieve and use a set of temporary credentials.

 

For example, use IAM roles to grant permissions to applications running on instances that must use a bucket in Amazon S3. It is possible to specify permissions for IAM roles by creating a policy in the JSON format. These policies are similar to the ones created for IAM users. When making a change to a role, the change is propagated to all instances.

 

Detailed information about creating roles can be found here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html.