Overview of data filtering
With the data filtering capabilities of Lake Formation, you can implement the following levels of data security.
Column-level security
Granting permissions on a Data Catalog table with column-level security (column filtering)
allows users to view only specific columns that they have access to in the table. Consider a
persons
table that is used in multiple applications for a large multi-region
communications company. Granting permissions on Data Catalog tables with column filtering can
restrict users who don't work in the HR department from seeing personally identifiable
information (PII) such as a social security number or birth date.
Row-level security
Granting permissions on a Data Catalog table with row-level security (row filtering) allows users to view only specific rows of data that they have access to in the table. The filtering is based on the values of one or more columns. For example, if different regional offices of the communications company have their own HR departments, you can limit the person records that HR employees can see to only records for employees in their region.
Cell-level security
Cell-level security combines row filtering and column filtering for a highly flexible permissions model. If you view the rows and columns of a table as a grid, by using cell-level security, you can restrict access to individual elements (cells) of the grid anywhere in the two dimensions. That is, you can restrict access to different columns depending on the row. This is illustrated by the following diagram, in which restricted columns are shaded.

Continuing the example of the persons table, you can create a data filter at the cell-level that restricts access to the street address column if the row has the country column set to "UK", but allows access to the street address column if the row has the country column set to "US".
Filters apply only to read operations. Therefore, you can grant only the
SELECT
Lake Formation permission with filters.