Cross-Account Best Practices and Limitations - AWS Lake Formation

Cross-Account Best Practices and Limitations

The following are best practices and limitations of cross-account access:

  • There is no limit to the number of Lake Formation permission grants that you can make to principals in your own AWS account. However, the maximum number of cross-account grants that your account can make is 1,600. To avoid reaching this limit, follow these best practices:

    • Arrange AWS accounts into organizations, and grant permissions to organizations or organizational units. A grant to an organization or organizational unit counts as one grant.

      Granting to organizations or organizational units also eliminates the need to accept an AWS Resource Access Manager (AWS RAM) resource share invitation for the grant. For more information, see Accessing and Viewing Shared Data Catalog Tables and Databases.

    • Instead of granting permissions on many individual tables in a database, use the special * All tables wildcard to grant permissions on all tables in the database. Granting on * All tables counts as a single grant. For more information, see Granting Table Permissions (External Account).

    Note

    The limit of 1,600 grants is soft limit. To exceed this limit, request a higher limit for the number of resource shares in AWS Resource Access Manager (AWS RAM). For more information, see AWS service quotas in the AWS General Reference.

  • You must create a resource link to a shared database for that database to appear in the Amazon Athena and Amazon Redshift Spectrum query editors. Similarly, to be able to query shared tables using Athena and Redshift Spectrum, you must create resource links to the tables. The resource links then appear in the tables list of the query editors.

    Instead of creating resource links for many individual tables for querying, you can use the * All tables wildcard to grant permissions on all tables in a database. Then, when you create a resource link for that database and select that database resource link in the query editor, you'll have access to all tables in that database for your query. For more information, see Creating Resource Links.

  • If you have an AWS Glue Data Catalog resource policy in place, we recommend that you remove it and rely solely on Lake Formation permissions to secure your data lake. For more information, see Managing Cross-Account Permissions Using Both AWS Glue and Lake Formation.

  • Athena and Redshift Spectrum support column-level access control, but only for inclusion, not exclusion. Cross-account, column-level access control is not supported in AWS Glue ETL jobs.

  • When a resource is shared with your AWS account, you can grant permissions on the resource only to users in your account. You can't grant permissions on the resource to other AWS accounts, to organizations (not even your own organization), or to the IAMAllowedPrincipals group.

  • You can't grant DROP or Super on a database to an external account.

  • Revoke cross-account permissions before you delete a database or table. Otherwise, you must delete orphaned resource shares in AWS Resource Access Manager.

See Also