Lake Formation Access Control Overview - AWS Lake Formation

Lake Formation Access Control Overview

Access control in AWS Lake Formation is divided into the following two areas:

  • Metadata access control – Permissions on Data Catalog resources (Data Catalog permissions).

    These permissions enable principals to create, read, update, and delete metadata databases and tables in the Data Catalog.

  • Underlying data access control – Permissions on locations in Amazon Simple Storage Service (Amazon S3) (data access permissions and data location permissions).

    Data access permissions enable principals to read and write data to underlying Amazon S3 locations. Data location permissions enable principals to create metadata databases and tables that point to specific Amazon S3 locations.

For both areas, Lake Formation uses a combination of Lake Formation permissions and AWS Identity and Access Management (IAM) permissions. The IAM permissions model consists of IAM policies. The Lake Formation permissions model is implemented as DBMS-style GRANT/REVOKE commands, such as Grant SELECT on tableName to userName.

When a principal makes a request to access Data Catalog resources or underlying data, for the request to succeed, it must pass permission checks by both IAM and Lake Formation.

        A requestor's request must past through two "doors" to get to resources: Lake Formation
          permissions and IAM permissions.

Lake Formation permissions control access to Data Catalog resources, Amazon S3 locations, and the underlying data at those locations. IAM permissions control access to the Lake Formation and AWS Glue APIs and resources. So although you might have the Lake Formation permission to create a metadata table in the Data Catalog (CREATE_TABLE), your operation fails if you don't have the IAM permission on the glue:CreateTable API. (Why a glue: permission? Because Lake Formation uses the AWS Glue Data Catalog.)