Methods for fine-grained access control

With a data lake, the goal is to have fine-grained access control to data. In Lake Formation, this means fine-grained access control to Data Catalog resources and Amazon S3 locations. You can achieve fine-grained access control with one of the following methods.

Method Lake Formation Permissions IAM Permissions Comments

Method 1

Open

Fine-grained

Method	Lake Formation Permissions	IAM Permissions	Comments
Method 1	Open	Fine-grained	This is the default method for backward compatibility with AWS Glue. Open means that the special permission `Super` is granted to the group `IAMAllowedPrincipals`, where `IAMAllowedPrincipals` is automatically created and includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies, and the `Super` permission enables a principal to perform every supported Lake Formation operation on the database or table on which it is granted. This effectively causes access to Data Catalog resources and Amazon S3 locations to be controlled solely by IAM policies. For more information, see Changing the default settings for your data lake and Upgrading AWS Glue data permissions to the AWS Lake Formation model. Fine-grained means that IAM policies control all access to Data Catalog resources and to individual Amazon S3 buckets. On the Lake Formation console, this method appears as Use only IAM access control.
Method 2	Fine-grained	Coarse-grained	This is the recommended method. Fine-grained access means granting limited Lake Formation permissions to individual principals on Data Catalog resources, Amazon S3 locations, and the underlying data in those locations. Coarse-grained means broader permissions on individual operations and on access to Amazon S3 locations. For example, a coarse-grained IAM policy might include `"glue:"` or `"glue:Create"` rather than `"glue:CreateTables"`, leaving Lake Formation permissions to control whether or not a principal can create catalog objects. It also means giving principals access to the APIs that they need to do their work, but locking down other APIs and resources. For example, you might create an IAM policy that enables a principal to create Data Catalog resources and create and run workflows, but doesn't enable creation of AWS Glue connections or user-defined functions. See the examples later in this section.

This is the default method for backward compatibility with AWS Glue.

Open means that the special permission Super is granted to the group IAMAllowedPrincipals, where IAMAllowedPrincipals is automatically created and includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies, and the Super permission enables a principal to perform every supported Lake Formation operation on the database or table on which it is granted. This effectively causes access to Data Catalog resources and Amazon S3 locations to be controlled solely by IAM policies. For more information, see Changing the default settings for your data lake and Upgrading AWS Glue data permissions to the AWS Lake Formation model.
Fine-grained means that IAM policies control all access to Data Catalog resources and to individual Amazon S3 buckets.

On the Lake Formation console, this method appears as Use only IAM access control.

Method 2

Fine-grained

Coarse-grained

This is the recommended method.

Fine-grained access means granting limited Lake Formation permissions to individual principals on Data Catalog resources, Amazon S3 locations, and the underlying data in those locations.
Coarse-grained means broader permissions on individual operations and on access to Amazon S3 locations. For example, a coarse-grained IAM policy might include "glue:*" or "glue:Create*" rather than "glue:CreateTables", leaving Lake Formation permissions to control whether or not a principal can create catalog objects. It also means giving principals access to the APIs that they need to do their work, but locking down other APIs and resources. For example, you might create an IAM policy that enables a principal to create Data Catalog resources and create and run workflows, but doesn't enable creation of AWS Glue connections or user-defined functions. See the examples later in this section.

Important

Be aware of the following:

By default, Lake Formation has the Use only IAM access control settings enabled for compatibility with existing AWS Glue Data Catalog behavior. We recommend that you disable these settings after you transition to using Lake Formation permissions. For more information, see Changing the default settings for your data lake.
Data lake administrators and database creators have implicit Lake Formation permissions that you must understand. For more information, see Implicit Lake Formation permissions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Overview of Lake Formation permissions

Metadata access control