Registering an Amazon S3 Location - AWS Lake Formation

Registering an Amazon S3 Location

You must specify an AWS Identity and Access Management (IAM) role when you register an Amazon Simple Storage Service (Amazon S3) location. Lake Formation assumes that role when it grants temporary credentials to integrated AWS services that access the data in that location.


Avoid registering an Amazon S3 bucket that has Requester pays enabled. For buckets registered with Lake Formation, the role used to register the bucket is always viewed as the requester. If the bucket is accessed by another AWS account, the bucket owner is charged for data access if the role belongs to the same account as the bucket owner.

You can use the AWS Lake Formation console, Lake Formation API, or AWS Command Line Interface (AWS CLI) to register an Amazon S3 location.

Before You Begin

Review the requirements for the role used to register the location.

To register a location (console)


The following procedures assume that the Amazon S3 location is in the same AWS account as the Data Catalog and that the data in the location is not encrypted. Other sections in this chapter cover cross-account registration and registration of encrypted locations.

  1. Open the AWS Lake Formation console at Sign in as the data lake administrator or as a user with the lakeformation:RegisterResource IAM permission.

  2. In the navigation pane, under Register and Ingest, choose Data lake locations.

  3. Choose Register location, and then choose Browse to select an Amazon Simple Storage Service (Amazon S3) path.

  4. (Optional, but strongly recommended) Choose Review location permissions to view a list of all existing resources in the selected Amazon S3 location and their permissions.

    Registering the selected location might result in your Lake Formation users gaining access to data already at that location. Viewing this list helps you ensure that existing data remains secure.

  5. For IAM role, choose either the AWSServiceRoleForLakeFormationDataAccess service-linked role (the default) or a custom IAM role that meets the requirements in Requirements for Roles Used to Register Locations.

  6. Choose Register location.

To register a location (AWS CLI)

  • Enter the following CLI command. Replace <s3-path> with a valid Amazon S3 path.

    aws lakeformation register-resource --resource-arn arn:aws:s3:::<s3-path> --use-service-linked-role

    This command uses the service-linked role to register the location. You can use the --role-arn argument instead to supply your own role.

    For more information, see RegisterResource Action (Python: register_resource).