Granting access with SQL semantics

You can grant permissions to tables using SQL semantics for example CREATE, INSERT, DELETE, UPDATE, and ALTER in table and table bucket policies. The following table provides a list of API actions associated with various SQL semantics that you can grant permissions to your users.

S3 Tables partially supports permissions using SQL semantics. For example, the CreateTable API only creates an empty table in the table bucket. You need additional permissions such as, UpdateTableMetadata, PutTableData, and GetTableMetadataLocation to be able to set the table schema. These additional permissions also mean that you are also granting the user access to insert rows in the table. If you wish to govern access purely based on SQL semantics, then we recommend using AWS Lake Formation or any third-party solution that is integrated with S3 Tables.

Table-level activity	IAM actions
`SELECT`	`s3tables:GetTableData`, `s3tables:GetTableMetadataLocation`
`CREATE`	`s3tables:CreateTable`, `s3tables:UpdateTableMetadataLocation`, `s3tables:PutTableData`, `s3tables:GetTableMetadataLocation`,
`INSERT`	`s3tables:UpdateTableMetadataLocation`, `s3tables:PutTableData`, `s3tables:GetTableMetadataLocation`
`UPDATE`	`s3tables:UpdateTableMetadataLocation`, `s3tables:PutTableData`, `s3tables:GetTableMetadataLocation`
`ALTER`,`RENAME`	`s3tables:UpdateTableMetadataLocation`, `s3tables:PutTableData`, `s3tables:GetTableMetadataLocation`, `s3tables:RenameTable`
`DELETE`,`DROP`	`s3tables:DeleteTable`, `s3tables:UpdateTableMetadataLocation`, `s3tables:PutTableData`, `s3tables:GetTableMetadataLocation`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS managed policies

VPC connectivity