IAM Permissions Required to Grant or Revoke Lake Formation Permissions - AWS Lake Formation

IAM Permissions Required to Grant or Revoke Lake Formation Permissions

All principals, including the data lake administrator, need the following AWS Identity and Access Management (IAM) permissions to grant or revoke AWS Lake Formation Data Catalog permissions or data location permissions with the Lake Formation API or the AWS CLI:

  • lakeformation:GrantPermissions

  • lakeformation:BatchGrantPermissions

  • lakeformation:RevokePermissions

  • lakeformation:BatchRevokePermissions

  • glue:GetTable or glue:GetDatabase for a table or database that you're granting permissions on with the named resource method


Data lake administrators have implicit Lake Formation permissions to grant and revoke Lake Formation permissions. But they still need the IAM permissions on the Lake Formation grant and revoke API operations.

The following IAM policy is recommended for principals who are not data lake administrators and who want to grant or revoke permissions using the Lake Formation console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:ListPermissions", "lakeformation:GrantPermissions", "lakeformation:BatchGrantPermissions", "lakeformation:RevokePermissions", "lakeformation:BatchRevokePermissions", "glue:GetDatabases", "glue:SearchTables", "glue:GetTables", "glue:GetDatabase", "glue:GetTable", "iam:ListUsers", "iam:ListRoles" ], "Resource": "*" } ] }

All of the glue: and iam: permissions in this policy are available in the AWS managed policy AWSGlueConsoleFullAccess.

To grant permissions by using Lake Formation tag-based access control (LF-TBAC), principals need additional IAM permissions. For more information, see Lake Formation Tag-Based Access Control Permissions Model and Lake Formation Personas and IAM Permissions Reference.

Cross-Account Permissions

Users who want to grant cross-account Lake Formation permissions by using the named resource method must also have the permissions in the AWSLakeFormationCrossAccountManager AWS managed policy.

Data lake administrators need those same permissions for granting cross-account permissions, plus the AWS Resource Access Manager (AWS RAM) permission to enable granting permissions to organizations. For more information, see Data Lake Administrator Permissions.

The Administrative User

A principal with IAM administrative permissions—for example, with the AdministratorAccess AWS managed policy—has permissions to grant Lake Formation permissions and create data lake administrators. To deny a user or role access to Lake Formation administrator operations, attach or add into its policy a Deny statement for administrator API operations.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "lakeformation:GetDataLakeSettings", "lakeformation:PutDataLakeSettings" ], "Effect": "Deny", "Resource": [ "*" ] } ] }

To prevent users from adding themselves as an administrator with an extract, transform, and load (ETL) script, make sure that all non-administrator users and roles are denied access to these API operations.