Updating cross-account data sharing version settings - AWS Lake Formation

Updating cross-account data sharing version settings

From time to time, AWS Lake Formation updates the cross-account data sharing settings to distinguish the changes made to the AWS RAM usage and to support updates made to the cross-account data sharing feature. When Lake Formation does this, it creates a new version of the Cross account version settings.

Main differences between cross-account version settings

For more information about how cross-account data sharing works under different Cross account version settings, see the following sections.

Note

To share data with another account, the grantor must have AWSLakeFormationCrossAccountManager managed IAM policy permissions. This is a pre-requisite for all versions.

Updating the Cross account version settings does not impact the permissions the recipient has on shared resources. This is applicable when updating from version 1 to version 2, version 2 to version 3, and version 1 to version 3. See the considerations listed below when updating versions.

Version 1

Named resource method: Maps each cross-account Lake Formation permission grant to one AWS RAM resource share. User (grantor role or principal) does not require additional permissions.

LF-TBAC method: Cross-account Lake Formation permission grants don't use AWS RAM to share data. User must have glue:PutResourcePolicy permission.

Benefits from updating versions: Initial version - not applicable.

Consideratons when updating versions: Initial version - not applicable

Version 2

Named resource method: Optimizes the number of AWS RAM resource shares by mapping multiple cross-account permission grants with one AWS RAM resource share. User does not require additional permissions.

LF-TBAC method: Cross-account Lake Formation permission grants don't use AWS RAM to share data. User must have glue:PutResourcePolicy permission.

Benefits from updating versions: Scalable cross-account setup by optimal utilization of AWS RAM capacity.

Consideratons when updating versions: Users who want to grant cross-account Lake Formation permissions must have the permissions in the AWSLakeFormationCrossAccountManager AWS managed policy. Otherwise, you need to have ram:AssociateResourceShare and ram:DisassociateResourceShare permissions to successfully share resources with another account.

Version 3

Named resource method: Optimizes the number of AWS RAM resource shares by mapping multiple cross-account permission grants with one AWS RAM resource share. User does not require additional permissions.

LF-TBAC method: Lake Formation uses AWS RAM for cross-account grants. The recipient must accept resource share invitations from AWS RAM. User does not require additional permissions.

Benefits from updating versions: Supports the following capabilities:

  • Allows sharing resources explicitly with an IAM principal in an external account.

    For more information, see Granting and revoking permissions on Data Catalog resources.

  • Enables cross-account shares using LF-TBAC method to Organizations or organizational units (OUs).

  • Removes the overhead of maintaining additional AWS Glue policies for cross-account grants.

Consideratons when updating versions: If the grantor uses a version lower than version 3, and the recipient is using version 3 or higher, the grantor receives the following error message: "Invalid cross account grant request. Consumer account has opt-in to cross account version: v3. Please update CrossAccountVersion in DataLakeSetting to minimal version v3 (Service: AmazonDataCatalog; Status Code: 400; Error Code: InvalidInputException)". However, if the grantor uses version 3 and the recipient is using version 1 or version 2, the cross-account grants go through successfully.

To share resources directly with IAM principals in another account, only the grantor needs to use version 3.

Optimize AWS RAM resource shares

New versions (version 2 and above) of cross-account grants optimally utilize AWS RAM capacity to maximize cross account usage. When you share a resource with an external AWS account or an IAM principal, Lake Formation may create a new resource share or associate the resource with an existing share. By associating with existing shares, Lake Formation reduces the number of resource share invitations a consumer needs to accept.

Enable AWS RAM shares via TBAC or share resources directly to principals

To share resources directly with IAM principals in another account or to enable TBAC cross-account shares to Organizations or organizational units, you need to update the Cross account version settings to version 3. For more information about AWS RAM resource limits, see Cross-account best practices and limitations.

Required permissions for updating cross-account version settings

If a cross-account permission grantor has AWSLakeFormationCrossAccountManager managed IAM policy permissions, then there is no extra permission setup required for the cross-account permission grantor role or principal. However, if the cross-account grantor is not using the managed policy, then the grantor role or principal should have following IAM permissions granted for the new version of the cross-account grant to be successful.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "ram:AssociateResourceShare", "ram:DisassociateResourceShare", "ram:GetResourceShares" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": "LakeFormation*" } } } ] }

To enable the new version

Follow these steps to update Cross account version settings through the AWS Lake Formation console or the AWS CLI.

Console
  1. Choose Version 2 or Version 3 under Cross account version settings on the Data catalog settings page. If you select Version 1, Lake Formation will use the default resource sharing mode.

  2. Choose Save.

AWS Command Line Interface (AWS CLI)

Use the put-data-lake-settings AWS CLI command to set the CROSS_ACCOUNT_VERSION parameter. Accepted values are 1, 2, and 3.

aws lakeformation put-data-lake-settings --region us-east-1 --data-lake-settings file://settings { "DataLakeAdmins": [ { "DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/test" } ], "CreateDatabaseDefaultPermissions": [], "CreateTableDefaultPermissions": [], "Parameters": { "CROSS_ACCOUNT_VERSION": "3" } }
Important

Once you choose Version 2 or Version 3, all new named resource grants will go through the new cross-account grant mode. To optimally use AWS RAM capacity for your existing cross-account shares, we recommend you to revoke the grants that were made with the older version, and re-grant in the new mode.