Setting up AWS Lake Formation - AWS Lake Formation

Setting up AWS Lake Formation

Complete the following tasks to get set up to use Lake Formation:

Complete initial AWS configuration tasks

To use AWS Lake Formation you must first complete the following tasks:

Sign Up for AWS

When you sign up for AWS, your AWS account is automatically signed up for all services in AWS, including Lake Formation. You are charged only for the services that you use.

If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the following procedure to create one.

To create an AWS account

  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

Note your AWS account number, because you'll need it for the next task.

Create an Administrator IAM User

Services in AWS, such as Lake Formation, require that you provide credentials when you access them, so that the service can determine whether you have permission to access its resources. We don't recommend that you access AWS using the credentials for your AWS account. Instead, we recommend that you use AWS Identity and Access Management (IAM). You can create an IAM user, and then add the user to an IAM group with administrative permissions, or grant this user administrative permissions. You can then access AWS using the credentials for the IAM user.

If you signed up for AWS but have not created an administrative IAM user for yourself, you can create one using the IAM console. If you aren't familiar with using the console, see Working with the AWS Management Console for an overview.

To create an administrator user for yourself and add the user to an administrators group (console)

  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    Note

    We strongly recommend that you adhere to the best practice of using the Administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

  2. In the navigation pane, choose Users and then choose Add user.

  3. For User name, enter Administrator.

  4. Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.

  5. (Optional) By default, AWS requires the new user to create a new password when first signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

  6. Choose Next: Permissions.

  7. Under Set permissions, choose Add user to group.

  8. Choose Create group.

  9. In the Create group dialog box, for Group name enter Administrators.

  10. Choose Filter policies, and then select AWS managed - job function to filter the table contents.

  11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

    Note

    You must activate IAM user and role access to Billing before you can use the AdministratorAccess permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the billing console.

  12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

  13. Choose Next: Tags.

  14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

  15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see Access management and Example policies.

Sign in as an IAM user

Sign in to the IAM console by choosing IAM user and entering your AWS account ID or account alias. On the next page, enter your IAM user name and your password.

Note

For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose the sign-in link beneath the button to return to the main sign-in page. From there, you can enter your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.

Create an IAM Role for Workflows

With AWS Lake Formation, you can import your data using workflows. A workflow defines the data source and schedule to import data into your data lake. You can easily define workflows using the blueprints, or templates, that Lake Formation provides.

When you create a workflow, you must assign it an AWS Identity and Access Management (IAM) role that grants Lake Formation the necessary permissions to ingest the data.

The following procedure assumes familiarity with IAM.

To create an IAM role for workflows

  1. Open the IAM console at https://console.aws.amazon.com/iam and sign in as the IAM administrator user that you created in Create an Administrator IAM User or as an IAM user with the AdministratorAccess AWS managed policy.

  2. In the navigation pane, choose Roles, then Create role.

  3. On the Create role page, choose AWS service, and then choose Glue. Choose Next:Permissions.

  4. Search for the AWSGlueServiceRole managed policy, and select the check box next to the policy name in the list. Then complete the Create role wizard, naming the role LakeFormationWorkflowRole. To finish, choose Create role.

  5. Back on the Roles page, search for LakeFormationWorkflowRole and choose the role name.

  6. On the role Summary page, under the Permissions tab, choose Add inline policy, and add the following inline policy. A suggested name for the policy is LakeFormationWorkflow.

    Important

    In the following policy, replace <account-id> with a valid AWS account number.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "lakeformation:GrantPermissions" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["iam:PassRole"], "Resource": [ "arn:aws:iam::<account-id>:role/LakeFormationWorkflowRole" ] } ] }

    The following are brief descriptions of the permissions in this policy:

    • lakeformation:GetDataAccess enables jobs created by the workflow to write to the target location.

    • lakeformation:GrantPermissions enables the workflow to grant the SELECT permission on target tables.

    • iam:PassRole enables the service to assume the role LakeFormationWorkflowRole to create crawlers and jobs, and to attach the role to the created crawlers and jobs.

  7. Verify that the role LakeFormationWorkflowRole has two policies attached.

  8. If you are ingesting data that is outside the data lake location, add an inline policy granting permissions to read the source data.

Create a Data Lake Administrator

Data lake administrators are initially the only AWS Identity and Access Management (IAM) users or roles that can grant Lake Formation permissions on data locations and Data Catalog resources to any principal (including self). For more information about data lake administrator capabilities, see Implicit Lake Formation Permissions.

You can create a data lake administrator using the Lake Formation console or the PutDataLakeSettings operation of the Lake Formation API.

The following permissions are required to create a data lake administrator. The Administrator IAM user has these permissions implicitly.

  • lakeformation:PutDataLakeSettings

  • lakeformation:GetDataLakeSettings

If you grant a user the AWSLakeFormationDataAdmin policy, that user will not be able to create additional Lake Formation administrator users.

To create a data lake administrator (console)

  1. If the IAM user who is to be a data lake administrator does not yet exist, use the IAM console to create it. Otherwise, view the existing IAM user who is to be the data lake administrator.

    Note

    We recommend that you do not select an IAM administrative user (user with the AdministratorAccess AWS managed policy) to be the data lake administrator.

    Attach the following AWS managed policies to the user:

    Policies Mandatory? Notes
    AWSLakeFormationDataAdmin Mandatory Basic data lake administrator permissions.
    AWSGlueConsoleFullAccess, CloudWatchLogsReadOnlyAccess Optional Attach these policies if the data lake administrator will be troubleshooting workflows created from Lake Formation blueprints. These policies enable the data lake administrator to view troubleshooting information in the AWS Glue console and the Amazon CloudWatch Logs console. For information about workflows, see Importing Data Using Workflows in Lake Formation.
    AWSLakeFormationCrossAccountManager Optional Attach this policy to enable the data lake administrator to grant and revoke cross-account permissions on Data Catalog resources. For more information, see Cross-Account Access in Lake Formation.
    AmazonAthenaFullAccess Optional Attach this policy if the data lake administrator will be running queries in Amazon Athena.
  2. Attach the following inline policy, which grants the data lake administrator permission to create the Lake Formation service-linked role. A suggested name for the policy is LakeFormationSLR.

    The service-linked role enables the data lake administrator to more easily register Amazon S3 locations with Lake Formation. For more information about the Lake Formation service-linked role, see Using Service-Linked Roles for Lake Formation.

    Important

    In all the following policy, replace <account-id> with a valid AWS account number.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "lakeformation.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<account-id>:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess" } ] }
  3. (Optional) Attach the following PassRole inline policy to the user. This policy enables the data lake administrator to create and run workflows. The iam:PassRole permission enables the workflow to assume the role LakeFormationWorkflowRole to create crawlers and jobs, and to attach the role to the created crawlers and jobs. A suggested name for the policy is UserPassRole.

    Important

    Replace <account-id> with a valid AWS account number.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account-id>:role/LakeFormationWorkflowRole" ] } ] }
  4. (Optional) Attach this additional inline policy if your account will be granting or receiving cross-account Lake Formation permissions. This policy enables the data lake administrator to view and accept AWS Resource Access Manager (AWS RAM) resource share invitations. Also, for data lake administrators in the AWS Organizations management account, the policy includes a permission to enable cross-account grants to organizations. For more information, see Cross-Account Access in Lake Formation.

    A suggested name for the policy is RAMAccess.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:AcceptResourceShareInvitation", "ram:RejectResourceShareInvitation", "ec2:DescribeAvailabilityZones", "ram:EnableSharingWithAwsOrganization" ], "Resource": "*" } ] }
  5. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/ and sign in as the IAM administrator user that you created in Create an Administrator IAM User or as any IAM administrative user.

  6. If a Welcome to Lake Formation window appears, choose the IAM user that you created or selected in Step 1, and then choose Get started.

  7. If you do not see a Welcome to Lake Formation window, then perform the following steps to configure a Lake Formation Administrator.

    1. In the navigation pane, under Permissions, choose Administrative Roles and tasks. In the Data lake administrators section of the console page, choose Choose administrators.

    2. In the Manage data lake administrators dialog box, for IAM users and roles, choose the IAM user that you created or selected in Step 1, and then choose Save.

Confused Deputy Prevention

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. For more information, see Cross-service confused deputy prevention.

Change the default permission model

Lake Formation starts with the "Use only IAM access control" settings enabled for compatibility with existing AWS Glue Data Catalog behavior. We recommend that you disable these settings to enable fine-grained and tag-based access control with Lake Formation permissions.

For more information, see Changing the Default Security Settings for Your Data Lake.

Important

If you have existing AWS Glue Data Catalog databases and tables, do not follow the instructions in this section. Instead, follow the instructions in Upgrading AWS Glue Data Permissions to the AWS Lake Formation Model.

Warning

If you have automation in place that creates databases and tables in the Data Catalog, the following steps might cause the automation and downstream extract, transform, and load (ETL) jobs to fail. Proceed only after you have either modified your existing processes or granted explicit Lake Formation permissions to the required principals. For information about Lake Formation permissions, see Lake Formation Permissions Reference.

To change the default Data Catalog settings

  1. Continue in the Lake Formation console at https://console.aws.amazon.com/lakeformation/. Ensure that you are signed in as the IAM administrator user that you created in Create an Administrator IAM User or as an IAM user with the AdministratorAccess AWS managed policy.

  2. Modify the Data Catalog settings:

    1. In the navigation pane, under Data catalog, choose Settings.

    2. Clear both check boxes and choose Save.

      
              The Data catalog settings dialog box has the subtitle "Default permissions for
                newly created databases and tables," and has two check boxes, which are described in
                the text.
  3. Revoke IAMAllowedPrincipals permission for database creators.

    1. In the navigation pane, under Permissions, choose Administrative roles and tasks.

    2. In the Administrative roles and tasks console page, in the Database creators section, select the IAMAllowedPrincipals group, and choose Revoke.

      The Revoke permissions dialog box appears, showing that IAMAllowedPrincipals has the Create database permission.

    3. Choose Revoke.

Create additional Lake Formation users

Create an IAM user to have access to the data lake in AWS Lake Formation. This user has the minimum set of permissions to query the data lake.

To create a non-administrator user with access to Lake Formation data

  1. Open the IAM console at https://console.aws.amazon.com/iam and sign in as the IAM administrator user that you created in Create an Administrator IAM User or as an IAM user with the AdministratorAccess AWS managed policy.

  2. Choose Users, and then Add users.

  3. Enter a name for the user, and then choose the Password - AWS Management Console access access method. Configure the user password requirements. You can optionally choose to enable Access key - Programmatic access for this user.

    Choose Next:Permissions.

  4. Under Set permissions, choose Attach existing policies directly. Enter Athena in the Filter policies text field. In the result list, check the box for AmazonAthenaFullAccess.

  5. Choose the Create policy button. On the Create policy page, choose the JSON tab. Copy and paste the following code into the policy editor.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "glue:GetTable", "glue:GetTables", "glue:SearchTables", "glue:GetDatabase", "glue:GetDatabases", "glue:GetPartitions", "lakeformation:GetResourceLFTags", "lakeformation:ListLFTags", "lakeformation:GetLFTag", "lakeformation:SearchTablesByLFTags", "lakeformation:SearchDatabasesByLFTags" ], "Resource": "*" } ] }
  6. Choose the Next button at the bottom until you see the Review policy page. Enter a name for the policy, for example, DatalakeUserBasic. Choose Create policy, then close the Policies tab or browser window.

  7. Back in the IAM Add user window, enter datalake in the Filter policy search field. If the newly created policy doesn't appear in the result list, choose the Refresh, or page reload button. Check the box for the DatalakeUserBasic policy.

  8. Choose Next:tags and Next:Review.

  9. On the Review page, you should see that both the DatalakeUserBasic policy and the AmazonAthenaFullAccess policy were chosen for the user. Choose Create user to complete the setup.

Configure an Amazon S3 location for your data lake

To use Lake Formation to manage and secure the data in your data lake, you must first register an Amazon S3 location. When you register a location, that Amazon S3 path and all folders under that path are registered.

When you register a location, you specify an IAM role that grants read/write permissions on that location. Lake Formation assumes that role when supplying temporary credentials to integrated AWS services that request access to data in the registered Amazon S3 location. You can specify either the Lake Formation service-linked role (SLR) or create your own role.

Use a custom role in the following situations:

The role that you choose must have the necessary permissions, as described in Requirements for Roles Used to Register Locations. For instructions on how to register an Amazon S3 location, see Adding an Amazon S3 Location to Your Data Lake.

Prepare for using governed tables and row-level security

The Lake Formation governed tables, row-level filtering, and storage optimization features require additional configuration before using them.

Prepare for using governed tables

To create governed tables in Lake Formation, you must first register an Amazon S3 location in Lake Formation and specify a role that contains all the required permissions, as described previously in Configure an Amazon S3 location for your data lake. You then need to grant permissions to the user or role that will be interacting with governed tables. For more information about data access permissions, see Underlying Data Access Control.

To create a governed table the user must be a data lake administrator or a user with the following permissions:

  • The Lake Formation CREATE_TABLE permission on the target database

    • The AWS Identity and Access Management (IAM) permission glue:CreateTable

    • Data location permissions in Lake Formation, as described in Granting Data Location Permissions. Data location permissions control the ability to create or alter Data Catalog resources that point to particular Amazon S3 locations.

    To access data in a governed table, the principal will need SELECT permissions on the governed table, and IAM permissions to call:

    lakeformation:StartQueryPlanning lakeformation:GetQueryState lakeformation:GetWorkUnits
 lakeformation:GetWorkUnitResults
 lakeformation:StartTransaction
 lakeformation:CommitTransaction
 lakeformation:CancelTransaction lakeformation:ExtendTransaction

To create and assign a role to users for creating and using governed tables

  1. Open the IAM console at https://console.aws.amazon.com/iam and sign in as the IAM administrator user that you created in Create an Administrator IAM User or as an IAM user with the AdministratorAccess AWS managed policy.

  2. In the navigation pane, choose Roles, then Create role.

  3. In the Attach permissions policies section, choose Create policy. In the newly opened browser window, create a new policy to use with your role.

    1. On the Create policy page, choose the JSON tab. Copy the following JSON code into the policy editor field.

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetPartitions", "glue:UpdateTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lakeformation:StartQueryPlanning", "lakeformation:GetQueryState", "lakeformation:GetWorkUnits", "lakeformation:GetWorkUnitResults", "lakeformation:GetQueryStatistics", "lakeformation:StartTransaction", "lakeformation:CommitTransaction", "lakeformation:CancelTransaction", "lakeformation:ExtendTransaction", "lakeformation:DescribeTransaction", "lakeformation:ListTransactions", "lakeformation:GetTableObjects", "lakeformation:UpdateTableObjects", "lakeformation:DeleteObjectsOnCancel" ], "Resource": "*" } ] }

      The following are brief descriptions of the permissions in this policy:

      • lakeformation:StartQueryPlanning allows principals to submit requests to process a query statement.

      • lakeformation:GetQueryState allows principals to view the state of a previously submitted query.

      • lakeformation:GetWorkUnits allows principals to retrieve the work units generated by the StartQueryPlanning operation.

      • lakeformation:GetWorkUnitResults allows principals to view the work units resulting from the query.

      • lakeformation:GetQueryStatistics allows principals to retrieve statistics on the planning and execution of a query.

      • lakeformation:StartTransaction allows principals and jobs to start a transaction.

      • lakeformation:CommitTransaction allows principals and jobs to commit transactions.

      • lakeformation:CancelTransaction allows principals and jobs to stop a transaction before the commit.

      • lakeformation:ExtendTransaction allows principals and jobs to indicate that the specified transaction is still active and shouldn’t be canceled.

      • lakeformation:DescribeTransaction allows principals and jobs to list information about a transaction.

      • lakeformation:ListTransactions allows principals and jobs to view metadata about transactions and their statuses.

      • lakeformation:GetTableObjects allows principals and jobs to list the table objects stored in the data lake.

      • lakeformation:UpdateTableObjects allows principals and jobs to update the table objects stored in the data lake.

      • lakeformation:DeleteObjectsOnCancel allows principals and jobs to specify a list of Amazon S3 objects that will be written during the current transaction and that can be automatically deleted if the transaction is canceled.

    2. For users that need to manage the data compaction and garbage collection settings for governed tables, add the following permissions to the above policy:

      "lakeformation:UpdateTableStorageOptimizer", "lakeformation:ListTableStorageOptimizers"
    3. Choose Next:Tags.

    4. You can optionally add a tag, then choose Next: Review.

    5. On the Review policy page, enter a name for the policy, for example LakeFormationGovernedTables, then choose Create policy.

    6. You can close this window, and return to the Create role page.

  4. On the Create role page, choose the refresh button, then search for the LakeFormationGovernedTables policy you created in the previous step. Select the check box next to the policy name in the list.

  5. Complete the Create role wizard by choosing Next until you reach the Review page. Enter a name for the role, such as LakeFormationTransactionsRole. To finish, choose Create role.

  6. Back on the Roles page, search for LakeFormationTransactionsRole and choose the role name.

  7. On the role Summary page, under the Permissions tab, verify that the role has the LakeFormationGovernedTables policy attached.

You can now assign this role to the principals that work with governed tables.

Prepare for using automatic data compaction with governed tables

To configure data compaction for governed tables, the principal must satisfy the following conditions:

  • Be the user that created the table or be a data lake administrator user

  • Have the glue:UpdateTable, glue:GetTable and Lake Formation ALTER permission on the table

Additionally, the role used when registering the Amazon S3 data lake location with Lake Formation must contain the following permissions to use data compaction:

  • s3:PutObject and lakeformation:UpdateTableObjects

  • lakeformation:StartTransaction, lakeformation:CommitTransaction, lakeformation:CancelTransaction, lakeformation:DeleteObjectsOnCancel, and logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, to "arn:aws:logs:*:*<**ACCOUNT ID**>*:log-group:/aws-lakeformation-acceleration/compaction/logs:*" as in the following example.

    { "Statement": [ { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource": "arn:aws:s3:::<bucket>/<prefix>/*" }, { "Effect":"Allow", "Action":[ "lakeformation:StartTransaction", "lakeformation:CommitTransaction", "lakeformation:CancelTransaction", "lakeformation:DeleteObjectsOnCancel" ], "Resource": "*" }, { "Effect":"Allow", "Action":[ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*<**ACCOUNT ID**>*:log-group:/aws-lakeformation-acceleration/compaction/logs:*" } ] }
  • If the Data Catalog is encrypted, the AWS KMS key policy must include a trust relationship with lakeformation.amazonaws.com, such as the following example.

    { "Effect": "Allow", "Principal": { "Service": [ "lakeformation.amazonaws.com" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:DescribeKey" ], "Resource": "*" }

Prepare for using row-level security

When you grant Lake Formation permissions on a Data Catalog table, you can include data filtering specifications to restrict access to certain data in query results and within AWS Glue ETL jobs. Lake Formation uses data filtering to achieve column-level security, row-level security, and cell-level security. You can implement column-level, row-level, and cell-level security by creating named data filters and specifying a data filter when you grant the SELECT Lake Formation permission on tables. When you create a data filter, you provide a set of columns and a filter expression for rows that need to be included. This allows you to restrict access to certain data in query results and within engines integrated with Lake Formation, such as Athena and AWS Glue ETL jobs.

For more information about data filters, see Data Filtering and Cell-Level Security in Lake Formation.

To configure row-level security for a table

  1. Identify the content you want to restrict access to and create data filters. For instructions on how to create data filters, see Creating a Data Filter.

  2. Grant DESCRIBE permission on the data filter to users who will be able to view the data filter.

    When you create a data filter, only you can view it. To allow other principals to view and use a data filter, you can grant the DESCRIBE permission on it.

  3. Specify the data filter when you grant the SELECT Lake Formation permission on tables to principals.

  4. Assign IAM permissions to the principals that will query the table using cell-level filters. Principals that query tables with cell-level filtering must have the following IAM permissions:

    lakeformation:StartQueryPlanning lakeformation:GetQueryState lakeformation:GetWorkUnits lakeformation:GetWorkUnitResults

(Optional) Allow Data Filtering on Amazon EMR Clusters

If you intend to analyze and process data in your data lake with Amazon EMR, you must opt in to allow Amazon EMR clusters to access data managed by Lake Formation. If you don't opt in, Amazon EMR clusters will not be able to access data in Amazon S3 locations that are registered with Lake Formation.

Lake Formation supports column-level permissions to restrict access to specific columns in a table. Integrated analytics services like Amazon Athena, Amazon Redshift Spectrum, and Amazon EMR retrieve non-filtered table metadata from the AWS Glue Data Catalog. The actual filtering of columns in query responses is the responsibility of the integrated service. EMR clusters are not completely managed by AWS. Therefore, it's the responsibility of EMR administrators to properly secure the clusters to avoid unauthorized access to data.

By opting in to allow data filtering on the EMR cluster, you are certifying that you have properly secured the cluster.

To opt in to allow data filtering on Amazon EMR clusters (console)

  1. Continue in the Lake Formation console at https://console.aws.amazon.com/lakeformation/. Ensure that you are signed in as a principal that has the IAM permission on the Lake Formation PutDataLakeSettings API operation. The IAM administrator user that you created in Create an Administrator IAM User has this permission.

  2. In the navigation pane, under Permissions, choose External data filtering.

  3. On the External data filtering page, do the following:

    1. Turn on Allow Amazon EMR clusters to filter data managed by Lake Formation.

    2. For AWS account IDs, enter the account IDs of AWS accounts with Amazon EMR clusters that are to perform data filtering. Press Enter after each account ID.

    3. Choose Save.

(Optional) Grant Access to the Data Catalog Encryption Key

If the AWS Glue Data Catalog is encrypted, grant AWS Identity and Access Management (IAM) permissions on the AWS KMS key to any principals who need to grant Lake Formation permissions on Data Catalog databases and tables.

For more information, see the AWS Key Management Service Developer Guide.