AWS Managed Policies for Lake Formation - AWS Lake Formation

AWS Managed Policies for Lake Formation

You can grant the AWS Identity and Access Management (IAM) permissions that are required to work with AWS Lake Formation by using AWS managed policies and inline policies. The following AWS managed policies are available for Lake Formation.

Principal AWS Managed Policy Comments
Lake Formation user, including the data lake administrator AWSGlueConsoleFullAccess Allows the principal to conduct a variety of operations on the Lake Formation console.
Data lake administrators AWSLakeFormationDataAdmin Allows the data lake administrator to conduct administrative operations and view AWS CloudTrail logs.
Lake Formation user, including the data lake administrator AWSLakeFormationCrossAccountManager Allows the principal to grant Lake Formation permissions to external AWS accounts, to organizations, or to organizational units.

The AWSLakeFormationDataAdmin policy does not grant every required permission for data lake administrators. Additional permissions are needed to create and run workflows and register locations with the service linked role AWSServiceRoleForLakeFormationDataAccess. For more information, see Create a Data Lake Administrator and Using Service-Linked Roles for Lake Formation.

In addition, AWS Glue and Lake Formation assume the service role AWSGlueServiceRole to allow access to related services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon CloudWatch.