Lake Formation personas and IAM permissions reference

This section lists some suggested Lake Formation personas and their suggested AWS Identity and Access Management (IAM) permissions. For information about Lake Formation permissions, see Lake Formation permissions reference.

AWS Lake Formation personas

The following table lists the suggested AWS Lake Formation personas.

Lake Formation Personas
Persona	Description
IAM administrator (superuser)	(Required) User who can create IAM users and roles. Has the AdministratorAccess AWS managed policy. Has all permissions on all Lake Formation resources. Can add data lake administrators. Cannot grant Lake Formation permissions if not also designated a data lake administrator.
Data lake administrator	(Required) User who can register Amazon S3 locations, access the Data Catalog, create databases, create and run workflows, grant Lake Formation permissions to other users, and view AWS CloudTrail logs. Has fewer IAM permissions than the IAM administrator, but enough to administer the data lake. Cannot add other data lake administrators.
Read only administrator	(Optional) User who can view principals, Data Catalog resources, permissions, and AWS CloudTrail logs, without the permissions to make updates.
Data engineer	(Optional) User who can create databases, create and run crawlers and workflows, and grant Lake Formation permissions on the Data Catalog tables that the crawlers and workflows create. We recommend that you make all data engineers database creators. For more information, see Creating a database.
Data analyst	(Optional) User who can run queries against the data lake using, for example, Amazon Athena. Has only enough permissions to run queries.
Workflow role	(Required) Role that runs a workflow on behalf of a user. You specify this role when you create a workflow from a blueprint.

AWS managed policies for Lake Formation

You can grant the AWS Identity and Access Management (IAM) permissions that are required to work with AWS Lake Formation by using AWS managed policies and inline policies. The following AWS managed policies are available for Lake Formation.

AWS managed policy:AWSLakeFormationDataAdmin

AWSLakeFormationDataAdmin policy grants administrative access to AWS Lake Formation and related services such as AWS Glue to manage data lakes.

You can attach AWSLakeFormationDataAdmin to your users, groups, and roles.

Permission details

• CloudTrail – Allows principals to view AWS CloudTrail logs. This is required to review any errors in the set up of the data lake.

• Glue – Allows principals to view, create, and update metadata tables and databases in Data Catalog. This includes API operations that start with Get, List, Create, Update, Delete, and Search. This is required to manage the metadata of the data lake tables.

• IAM – Allows principals to retrieve information about IAM users, roles, and policies attached to the roles. This is required for the data admin to review and list IAM users and roles to grant Lake Formation permissions.

• Lake Formation – Grants data lake admins required Lake Formation permissions to manage data lakes.

• S3 – Allows principals to retrieve information about Amazon S3 buckets and their locations in order to set up the data location for data lakes.

"Statement": [
        {
            "Sid": "AWSLakeFormationDataAdminAllow",
            "Effect": "Allow",
            "Action": [
                "lakeformation:*",
                "cloudtrail:DescribeTrails",
                "cloudtrail:LookupEvents",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:CreateDatabase",
                "glue:UpdateDatabase",
                "glue:DeleteDatabase",
                "glue:GetConnections",
                "glue:SearchTables",
                "glue:GetTable",
                "glue:CreateTable",
                "glue:UpdateTable",
                "glue:DeleteTable",
                "glue:GetTableVersions",
                "glue:GetPartitions",
                "glue:GetTables",
                "glue:ListWorkflows",
                "glue:BatchGetWorkflows",
                "glue:DeleteWorkflow",
                "glue:GetWorkflowRuns",
                "glue:StartWorkflowRun",
                "glue:GetWorkflow",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "s3:GetBucketAcl",
                "iam:ListUsers",
                "iam:ListRoles",
                "iam:GetRole",
                "iam:GetRolePolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AWSLakeFormationDataAdminDeny",
            "Effect": "Deny",
            "Action": [
                "lakeformation:PutDataLakeSettings"
            ],
                "Resource": "*"
        }
    ]
}
            

Note

The AWSLakeFormationDataAdmin policy does not grant every required permission for data lake administrators. Additional permissions are needed to create and run workflows and register locations with the service linked role AWSServiceRoleForLakeFormationDataAccess. For more information, see Create a data lake administrator and Using service-linked roles for Lake Formation.

AWS managed policy:AWSLakeFormationCrossAccountManager

AWSLakeFormationCrossAccountManager policy provides cross account access to AWS Glue resources via Lake Formation, and grants read access to other required services such as AWS Organizations and AWS RAM.

You can attach AWSLakeFormationCrossAccountManager to your users, groups, and roles.

Permission details

This policy includes the following permissions.

• Glue – Allows principals to set or delete the Data Catalog resource policy for access control.

• Organizations – Allows principals to retrieve account and organizational unit (OU) information for an organization.

• ram:CreateResourceShare – Allows principals to create a resource share.

• ram:UpdateResourceShare –Allows principals to modify some properties of the specified resource share.

• ram:DeleteResourceShare – Allows principals to delete the specified resource share.

• ram:AssociateResourceShare – Allows principals to add the specified list of principals and list of resources to a resource share.

• ram:DisassociateResourceShare – Allows principals to remove the specified principals or resources from participating in the specified resource share.

• ram:GetResourceShares– Allows principals to retrieve details about the resource shares that you own or that are shared with you.

• ram:RequestedResourceType – Allows principals to retrieve the resource type (database, table or catalog).

• AssociateResourceSharePermission – Allows principals to add or replace the AWS RAM permission for a resource type included in a resource share. You can have exactly one permission associated with each resource type in the resource share.

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "AllowCreateResourceShare",
            "Effect": "Allow",
            "Action": [
                "ram:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringLikeIfExists": {
                    "ram:RequestedResourceType": [
                        "glue:Table",
                        "glue:Database",
                        "glue:Catalog"
                    ]
                }
            }
        },
        {
            "Sid": "AllowManageResourceShare",
            "Effect": "Allow",
            "Action": [
                "ram:UpdateResourceShare",
                "ram:DeleteResourceShare",
                "ram:AssociateResourceShare",
                "ram:DisassociateResourceShare",
                "ram:GetResourceShares"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ram:ResourceShareName": [
                        "LakeFormation*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowManageResourceSharePermissions",
            "Effect": "Allow",
            "Action": [
                "ram:AssociateResourceSharePermission"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ram:PermissionArn": [
                        "arn:aws:ram::aws:permission/AWSRAMLFEnabled*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowXAcctManagerPermissions",
            "Effect": "Allow",
            "Action": [
                "glue:PutResourcePolicy",
                "glue:DeleteResourcePolicy",
                "organizations:DescribeOrganization",
                "organizations:DescribeAccount",
                "ram:Get*",
                "ram:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowOrganizationsPermissions",
            "Effect": "Allow",
            "Action": [
                "organizations:ListRoots",
                "organizations:ListAccountsForParent",
                "organizations:ListOrganizationalUnitsForParent"
            ],
            "Resource": "*"
        }
    ]
}
            

AWS managed policy:AWSGlueConsoleFullAccess

AWSGlueConsoleFullAccess policy grants full access to AWS Glue resources when an identity that the policy is attached to uses the AWS Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console.

In addition, AWS Glue and Lake Formation assume the service role AWSGlueServiceRole to allow access to related services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon CloudWatch.

AWS managed policy:LakeFormationDataAccessServiceRolePolicy

This policy is attached to a service-linked role named ServiceRoleForLakeFormationDataAccess that allows the service to perform actions on resources at your request. You can't attach this policy to your IAM identities.

This policy allows the Lake Formation integrated AWS services such as Amazon Athena or Amazon Redshift to use the service-linked role to discover Amazon S3 resources.

For more information see, Using service-linked roles for Lake Formation.

Permission details

This policy includes the following permission.

• s3:ListAllMyBuckets – Returns a list of all buckets owned by the authenticated sender of the request.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "LakeFormationDataAccessServiceRolePolicy",
			"Effect": "Allow",
			"Action": [
				"s3:ListAllMyBuckets"
			],
			"Resource": [
				"arn:aws:s3:::*"
			]
		}
	]
}              
            

Lake Formation updates to AWS managed policies

View details about updates to AWS managed policies for Lake Formation since this service began tracking these changes.

Change	Description	Date
Lake Formation updated AWSLakeFormationCrossAccountManager policy.	Lake Formation enhanced the AWSLakeFormationCrossAccountManager policy by adding Sid elements to the policy statement.	March, 2024
Lake Formation updated AWSLakeFormationDataAdmin policy.	Lake Formation enhanced the AWSLakeFormationDataAdmin policy by adding a Sid element to the policy statement and removing a redundant action.	March, 2024
Lake Formation updated LakeFormationDataAccessServiceRolePolicy policy.	Lake Formation enhanced the LakeFormationDataAccessServiceRolePolicy policy by adding a Sid element to the policy statement.	February, 2024
Lake Formation updated AWSLakeFormationCrossAccountManager policy.	Lake Formation enhanced the AWSLakeFormationCrossAccountManager policy by adding a new permission to enable cross-account data sharing in hybrid access mode.	October, 2023
Lake Formation updated AWSLakeFormationCrossAccountManager policy.	Lake Formation enhanced the AWSLakeFormationCrossAccountManager policy to create only one resource share per recipient account when the a resource is first shared. All resources shared thereafter with the same account are attached to the same resource share.	May 6, 2022
Lake Formation started tracking changes.	Lake Formation started tracking changes for its AWS managed policies.	May 6, 2022

Personas suggested permissions

The following are the suggested permissions for each persona. The IAM administrator is not included because that user has all permissions on all resources.

Data lake administrator permissions

Important

In the following policies, replace <account-id> with a valid AWS account number, and replace <workflow_role> with the name of a role that has permissions to run a workflow, as defined in Workflow role permissions.

Policy Type	Policy
AWS managed policies	AWSLakeFormationDataAdmin LakeFormationDataAccessServiceRolePolicy (service-linked role policy) AWSGlueConsoleFullAccess (Optional) CloudWatchLogsReadOnlyAccess (Optional) AWSLakeFormationCrossAccountManager (Optional) AmazonAthenaFullAccess (Optional) For information about the optional AWS managed policies, see Create a data lake administrator.
Inline policy (for creating the Lake Formation service-linked role)	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "lakeformation.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<account-id>:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess" } ] }
(Optional) Inline policy (passrole policy for the workflow role). This is required only if the data lake administrator creates and runs workflows.	{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account-id>:role/<workflow_role>" ] } ] }
(Optional) Inline policy (if your account is granting or receiving cross-account Lake Formation permissions). This policy is for accepting or rejecting AWS RAM resource share invitations, and for enabling the granting of cross-account permissions to organizations. ram:EnableSharingWithAwsOrganization is required only for data lake administrators in the AWS Organizations management account.	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:AcceptResourceShareInvitation", "ram:RejectResourceShareInvitation", "ec2:DescribeAvailabilityZones", "ram:EnableSharingWithAwsOrganization" ], "Resource": "*" } ] }

Read only administrator permissions

Policy type

Policy

Inline policy (basic)

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "lakeformation:GetEffectivePermissionsForPath", "lakeformation:ListPermissions", "lakeformation:ListDataCellsFilter", "lakeformation:GetDataCellsFilter", "lakeformation:SearchDatabasesByLFTags", "lakeformation:SearchTablesByLFTags", "lakeformation:GetLFTag", "lakeformation:ListLFTags", "lakeformation:GetResourceLFTags", "lakeformation:ListLakeFormationOptins", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "glue:GetDatabase", "glue:GetDatabases", "glue:GetConnections", "glue:SearchTables", "glue:GetTable", "glue:GetTableVersions", "glue:GetPartitions", "glue:GetTables", "glue:GetWorkflow", "glue:ListWorkflows", "glue:BatchGetWorkflows", "glue:GetWorkflowRuns", "glue:GetWorkflow", "s3:ListBucket", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "iam:ListUsers", "iam:ListRoles", "iam:GetRole", "iam:GetRolePolicy" ], "Resource":"*" }, { "Effect":"Deny", "Action":[ "lakeformation:PutDataLakeSettings" ], "Resource":"*" } ] }

Data engineer permissions

Important

In the following policies, replace <account-id> with a valid AWS account number, and replace <workflow_role> with the name of the workflow role.

Policy Type	Policy
AWS managed policy	AWSGlueConsoleFullAccess
Inline policy (basic)	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "lakeformation:GrantPermissions", "lakeformation:RevokePermissions", "lakeformation:BatchGrantPermissions", "lakeformation:BatchRevokePermissions", "lakeformation:ListPermissions", "lakeformation:AddLFTagsToResource", "lakeformation:RemoveLFTagsFromResource", "lakeformation:GetResourceLFTags", "lakeformation:ListLFTags", "lakeformation:GetLFTag", "lakeformation:SearchTablesByLFTags", "lakeformation:SearchDatabasesByLFTags", "lakeformation:GetWorkUnits", "lakeformation:GetWorkUnitResults", "lakeformation:StartQueryPlanning", "lakeformation:GetQueryState", "lakeformation:GetQueryStatistics" ], "Resource": "*" } ] }
Inline policy (for operations on governed tables, including operations within transactions)	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:StartTransaction", "lakeformation:CommitTransaction", "lakeformation:CancelTransaction", "lakeformation:ExtendTransaction", "lakeformation:DescribeTransaction", "lakeformation:ListTransactions", "lakeformation:GetTableObjects", "lakeformation:UpdateTableObjects", "lakeformation:DeleteObjectsOnCancel" ], "Resource": "*" } ] }
Inline policy (for metadata access control using the Lake Formation tag-based access control (LF-TBAC) method)	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:AddLFTagsToResource", "lakeformation:RemoveLFTagsFromResource", "lakeformation:GetResourceLFTags", "lakeformation:ListLFTags", "lakeformation:GetLFTag", "lakeformation:SearchTablesByLFTags", "lakeformation:SearchDatabasesByLFTags" ], "Resource": "*" } ] }
Inline policy (passrole policy for the workflow role)	{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account-id>:role/<workflow_role>" ] } ] }

Data analyst permissions

Policy Type	Policy
AWS managed policy	AmazonAthenaFullAccess
Inline policy (basic)	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "glue:GetTable", "glue:GetTables", "glue:SearchTables", "glue:GetDatabase", "glue:GetDatabases", "glue:GetPartitions", "lakeformation:GetResourceLFTags", "lakeformation:ListLFTags", "lakeformation:GetLFTag", "lakeformation:SearchTablesByLFTags", "lakeformation:SearchDatabasesByLFTags" ], "Resource": "*" } ] }
(Optional) Inline policy (for operations on governed tables, including operations within transactions)	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:StartTransaction", "lakeformation:CommitTransaction", "lakeformation:CancelTransaction", "lakeformation:ExtendTransaction", "lakeformation:DescribeTransaction", "lakeformation:ListTransactions", "lakeformation:GetTableObjects", "lakeformation:UpdateTableObjects", "lakeformation:DeleteObjectsOnCancel" ], "Resource": "*" } ] }

Workflow role permissions

This role has the permissions required to run a workflow. You specify a role with these permissions when you create a workflow.

Important

In the following policies, replace <region> with a valid AWS Region identifier (for example us-east-1), <account-id> with a valid AWS account number, <workflow_role> with the name of the workflow role, and <your-s3-cloudtrail-bucket> with the Amazon S3 path to your AWS CloudTrail logs.

Policy Type	Policy
AWS managed policy	AWSGlueServiceRole
Inline policy (data access)	{ "Version": "2012-10-17", "Statement": [ { "Sid": "Lakeformation", "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "lakeformation:GrantPermissions" ], "Resource": "*" } ] }
Inline policy (passrole policy for the workflow role)	{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account-id>:role/<workflow_role>" ] } ] }
Inline policy (for ingesting data outside the data lake, for example, AWS CloudTrail logs)	{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": ["arn:aws:s3:::<your-s3-cloudtrail-bucket>/*"] } ] }