Athena 3 account scenario while querying - isgaur/AWS-BigData-Solutions GitHub Wiki

There are three accounts involved in this use case:

Account A - ( Requester - query which is requesting for some data )
Account B - ( S3 Bucket Owner )
Account C - ( Object Owner )

The S3 object - present in Account B's s3 bucket - is trying to be pulled by the query executing in Account A but the requested data inside Account B's s3 Bucket is owned by some user in Account C. As a result, this causes "Object and Bucket Owner Mismatch” error since the bucket owner is Account B while the data is owned by Account C.

By default, an S3 object is owned by the AWS account that uploaded it. In this case, this object had been uploaded to the bucket (dmi-master-billing) by a user in Account C. Any S3 bucket policy will not apply to any object that is not owned by the bucket owner. The bucket policy defined in Account B’s S3 bucket (dmi-master-billing) specifies full-control to AWS Account A, but since the owner of the object is someone in Account C, the bucket policy is not honored and querying the specific object in question will throw a permission denied error when trying to access this object.

<<<<<<<<<<<<<<< ------------- Quick Solution -------------- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

As a quick solution, it would be necessary to modify the object's access control list (ACL). Change the object's ACL to grant the bucket owner (in Account B) full control of the object.

    Here is the documentation that provides instructions on setting up the object's ownership to the AWS account B that owns the bucket: [1]

<<<<<<<<<<<<<<< ------- Long-Term/Permanent Solution ------------- ->>>>>>>>>>>>

There are two options for a more permanent solution to prevent this situation from occurring in the future which would be to Setup cross account access to bucket objects based on the IAM role. OR
Controlling the upload rights to the bucket via the bucket policy present (in Account B’s S3 bucket).

  <<<<<-- Option 1 - Set-up the Cross-account Access to Bucket Objects based on Assume IAM role  -->>>

            Here is the documentation that provides instructions to setup cross-account access to objects that are in AWS S3 buckets: [2]

  <<<-- Option 2 - Modifying Bucket Owner Policy or Setting up Object ACL's while putting or copying the objects to S3 Bucket-->>>>>

            Consider taking steps to ensure the bucket policy and the bucket ACL are set so that other AWS accounts are not able to upload to this bucket with invalid ACLs.  In order to implement this solution, please follow either of these documentations [3] (Bucket owner needs to implement these steps ) or [4] (Object owner needs to implement these steps ).

To summarize, in order to allow the user (requester who is performing the query) to access the specific object ,consider applying the "quick solution" as mentioned above.

References: [1] https://aws.amazon.com/premiumsupport/knowledge-center/s3-object-change-anonymous-ownership/ [2] https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ [3] https://aws.amazon.com/premiumsupport/knowledge-center/s3-require-object-ownership/ [4] https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/