AWS service integrations with Lake Formation

You can use Lake Formation to manage database, table, and column-level access permissions on data stored in Amazon S3. After your data is registered with Lake Formation, you can use AWS analytical services like AWS Glue, Amazon Athena, Amazon Redshift Spectrum, Amazon EMR to query the data. The following AWS services integrate with AWS Lake Formation and honor Lake Formation permissions.

AWS Service	Integration details
AWS Glue	Reference topic: Using AWS Lake Formation with AWS Glue AWS Glue and Lake Formation share the same Data Catalog. For console operations (such as viewing a list of tables) and all API operations, AWS Glue users can access only the databases and tables on which they have Lake Formation permissions.
Amazon Athena	Reference topic: Using AWS Lake Formation with Amazon Athena Use Lake Formation to allow or deny permissions to read data in Amazon S3. When Amazon Athena users select the AWS Glue catalog in the query editor, they can query only the databases, tables, and columns that they have Lake Formation permissions on. Queries using manifests are not supported. Currently, Lake Formation doesn't support managing permissions on write operations such as VACUUM, MERGE, UPDATE and OPTIMIZE on tables in Open Table Formats. In addition to principals who authenticate with Athena through AWS Identity and Access Management (IAM), Lake Formation supports Athena users who connect through the JDBC or ODBC driver and authenticate through SAML. Supported SAML providers include Okta and Microsoft Active Directory Federation Service (AD FS).
Amazon Redshift Spectrum	Reference topic: Using AWS Lake Formation with Amazon Redshift Spectrum When Amazon Redshift users create an external schema on a database in the AWS Glue Data Catalog, they can query only the tables and columns in that schema on which they have Lake Formation permissions.
Amazon QuickSight Enterprise Edition	Reference: Using AWS Lake Formation with Amazon QuickSight When an Amazon QuickSight Enterprise Edition user queries a dataset in an Amazon S3 location, the user must have the Lake Formation SELECT permission on the data.
Amazon EMR	Reference: Using AWS Lake Formation with Amazon EMR You can integrate Lake Formation permissions when you create an Amazon EMR cluster with a runtime role. A runtime role is an IAM role that you associate with Amazon EMR jobs or queries, and then Amazon EMR uses this role to access AWS resources.

Lake Formation also works with AWS Key Management Service (AWS KMS) to enable you to more easily set up these integrated services to encrypt and decrypt data in Amazon Simple Storage Service (Amazon S3) locations.