Lake Formation access control overview
Access control in AWS Lake Formation is divided into the following two areas:
-
Metadata access control – Permissions on Data Catalog resources (Data Catalog permissions).
These permissions enable principals to create, read, update, and delete metadata databases and tables in the Data Catalog.
-
Underlying data access control – Permissions on locations in Amazon Simple Storage Service (Amazon S3) (data access permissions and data location permissions).
-
Data access permissions enable principals to read and write data to underlying Amazon S3 locations—data pointed to by Data Catalog resources.
-
Data location permissions enable principals to create and alter metadata databases and tables that point to specific Amazon S3 locations.
-
For both areas, Lake Formation uses a combination of Lake Formation permissions and AWS Identity and Access Management (IAM)
permissions. The IAM permissions model consists of IAM policies. The Lake Formation permissions
model is implemented as DBMS-style GRANT/REVOKE commands, such as Grant SELECT on
tableName to userName
.
When a principal makes a request to access Data Catalog resources or underlying data, for the request to succeed, it must pass permission checks by both IAM and Lake Formation.

Lake Formation permissions control access to Data Catalog resources, Amazon S3 locations, and the underlying
data at those locations. IAM permissions control access to the Lake Formation and AWS Glue APIs and
resources. So although you might have the Lake Formation permission to create a metadata table in the
Data Catalog (CREATE_TABLE
), your operation fails if you don't have the IAM
permission on the glue:CreateTable
API. (Why a glue:
permission?
Because Lake Formation uses the AWS Glue Data Catalog.)
Lake Formation permissions apply only in the Region in which they were granted.