Compliance Reporting with Athena
Aggregate and schedule reports from immutable audit logs stored in the S3 bucket audit-demo-logs.
Amazon Athena
- Prepare log data on S3
- Logs have been written to the
audit-demo-logsbucket in thelogs/folder (see step 4). - Ensure bucket versioning and Object Lock are still active, so data cannot be deleted/overwritten.
- Create AWS Glue Crawler
- AWS Console → Glue → Crawlers → Add crawler.
- Name:
AuditLogsS3Crawler. - Data store: select S3, enter path s3://audit-demo-logs/logs/.
- IAM role: select (or create)
GlueCrawlerRolewith permissions:
JSON:
- {
-
"Effect": "Allow", -
"Action": ["s3:GetObject","s3:ListBucket"], -
"Resource": ["arn:aws:s3:::audit-demo-logs","arn:aws:s3:::audit-demo-logs/logs/*"] - }
- Output → Database:
audit_reports, Table prefix:audit_logs. - Schedule: None (run on demand).
- After creation, select Run crawler and wait for the status Succeeded.
- Configure Amazon Athena
- AWS Console → Athena.
- Settings (top right) → Query result location: s3://audit-demo-query-results/.
- In Query Editor, select the database
audit_reports. - Check the table:
SELECT * FROM “audit_reports”.“audit_logsaudit_demo_logs” LIMIT 5;
- Verify results
- Go to S3
audit-demo-query-results/Unsaved-> Check the file
