Step 2: Add permissions to read AWS CloudTrail logs to the workflow role - AWS Lake Formation

Step 2: Add permissions to read AWS CloudTrail logs to the workflow role

Attach the following inline policy to the role LakeFormationWorkflowRole. The policy grants permission to read your AWS CloudTrail logs. Name the policy DatalakeGetCloudTrail.

To create the LakeFormationWorkflowRole role, see (Optional) Create an IAM role for workflows.

Important
Replace <your-s3-cloudtrail-bucket> with the Amazon S3 location of your CloudTrail data.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": ["arn:aws:s3:::<your-s3-cloudtrail-bucket>/*"]
        }
    ]
}
```
Verify that there are three policies attached to the role.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Step 1: Create a data analyst user

Step 3: Create an Amazon S3 bucket for the data lake