Overview of Lake Formation permissions - AWS Lake Formation

Overview of Lake Formation permissions

There are two main types of permissions in AWS Lake Formation:

  • Metadata access – Permissions on Data Catalog resources (Data Catalog permissions).

    These permissions enable principals to create, read, update, and delete metadata databases and tables in the Data Catalog.

  • Underlying data access – Permissions on locations in Amazon Simple Storage Service (Amazon S3) (data access permissions and data location permissions).

    • Data access permissions enable principals to read and write data to underlying Amazon S3 locations—data pointed to by Data Catalog resources.

    • Data location permissions enable principals to create and alter metadata databases and tables that point to specific Amazon S3 locations.

For both types, Lake Formation uses a combination of Lake Formation permissions and IAM permissions. The IAM permissions model consists of IAM policies. The Lake Formation permissions model is implemented as DBMS-style GRANT/REVOKE commands, such as:

Grant SELECT on tableName to userName

When a principal makes a request to access Data Catalog resources or underlying data, for the request to succeed, it must pass permission checks by both IAM and Lake Formation.

AWS Lake Formation requires that each principal (user or role) be authorized to perform actions on Lake Formation–managed resources. A principal is granted the necessary authorizations by the data lake administrator or another principal with the permissions to grant Lake Formation permissions.

When you grant a Lake Formation permission to a principal, you can optionally grant the ability to pass that permission to another principal.

You can use the Lake Formation API, the AWS Command Line Interface (AWS CLI), or the Data permissions and Data locations pages of the Lake Formation console to grant and revoke Lake Formation permissions.