Cross-Account Access: How It Works - AWS Lake Formation

Cross-Account Access: How It Works

To enable cross-account access, you grant Lake Formation permissions with the grant option on Data Catalog tables and databases (Data Catalog resources) to an external AWS account, organization, or organizational unit. The grant operation automatically shares those resources.

You don't share resources with specific principals in external AWS accounts—you share the resources only with the accounts. Granting Lake Formation permissions to an organization or organizational unit is equivalent to granting the permission to every AWS account in that organization or organizational unit.

When you grant Lake Formation permissions on a Data Catalog resource to an external account, Lake Formation uses the AWS Resource Access Manager (AWS RAM) service to share the resource. If the grantee account is in the same organization as the grantor account, the shared resource is available immediately to the grantee. If the grantee account is not in the same organization, AWS RAM sends an invitation to the grantee account to accept or reject the resource grant. Then, to make the shared resource available, the data lake administrator in the grantee account must use the AWS RAM console or CLI to accept the invitation.

With a single Lake Formation grant operation, you can grant cross-account permissions on the following Data Catalog resources:

  • A database

  • An individual table (with optional column filtering)

  • A few selected tables

  • All tables in a database (by using the * All Tables wildcard)

In each account that accesses a shared resource:

  • At least one user must be designated as a data lake administrator. For information on how to create a data lake administrator, see Create a Data Lake Administrator.

  • The data lake administrator can view shared resources and grant Lake Formation permissions on the shared resources to other principals in the account. Other principals can't access shared resources until the data lake administrator grants them permissions on the resources. Because the data lake administrator must grant permissions on shared resources to the principals in the grantee account, cross-account permissions must always be granted with the grant option.

  • For the data lake administrator and for principals whom the data lake administrator has granted permissions to, shared resources appear in the Data Catalog as if they were local (owned) resources. Extract, transform, and load (ETL) jobs can access the underlying data of shared resources.

  • For shared resources, the Tables and Databases pages on the Lake Formation console display the owner's account ID.

  • Principals can create a resource link in their Data Catalog to a shared resource from another AWS account. Integrated services such as Amazon Athena and Amazon Redshift Spectrum require resource links to be able to include shared resources in queries. For more information about resource links, see How Resource Links Work in Lake Formation.

  • When the underlying data of a shared resource is accessed, AWS CloudTrail log events are generated in both the shared resource recipient's account and the resource owner's account. The CloudTrail events can contain the ARN of the principal that accessed the data, but only if the recipient account opts in to include the principal ARN in the logs. For more information, see Cross-Account CloudTrail Logging.