Methods for fine-grained access control - AWS Lake Formation

Methods for fine-grained access control

With a data lake, the goal is to have fine-grained access control to data. In Lake Formation, this means fine-grained access control to Data Catalog resources and Amazon S3 locations. You can achieve fine-grained access control with one of the following methods.

Method Lake Formation Permissions IAM Permissions Comments
Method 1 Open Fine-grained

This is the default method for backward compatibility with AWS Glue.

  • Open means that the special permission Super is granted to the group IAMAllowedPrincipals, where IAMAllowedPrincipals is automatically created and includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies, and the Super permission enables a principal to perform every supported Lake Formation operation on the database or table on which it is granted. This effectively causes access to Data Catalog resources and Amazon S3 locations to be controlled solely by IAM policies. For more information, see Changing the default settings for your data lake and Upgrading AWS Glue data permissions to the AWS Lake Formation model.

  • Fine-grained means that IAM policies control all access to Data Catalog resources and to individual Amazon S3 buckets.

On the Lake Formation console, this method appears as Use only IAM access control.

Method 2 Fine-grained Coarse-grained

This is the recommended method.

  • Fine-grained access means granting limited Lake Formation permissions to individual principals on Data Catalog resources, Amazon S3 locations, and the underlying data in those locations.

  • Coarse-grained means broader permissions on individual operations and on access to Amazon S3 locations. For example, a coarse-grained IAM policy might include "glue:*" or "glue:Create*" rather than "glue:CreateTables", leaving Lake Formation permissions to control whether or not a principal can create catalog objects. It also means giving principals access to the APIs that they need to do their work, but locking down other APIs and resources. For example, you might create an IAM policy that enables a principal to create Data Catalog resources and create and run workflows, but doesn't enable creation of AWS Glue connections or user-defined functions. See the examples later in this section.

Important

Be aware of the following:

  • By default, Lake Formation has the Use only IAM access control settings enabled for compatibility with existing AWS Glue Data Catalog behavior. We recommend that you disable these settings after you transition to using Lake Formation permissions. For more information, see Changing the default settings for your data lake.

  • Data lake administrators and database creators have implicit Lake Formation permissions that you must understand. For more information, see Implicit Lake Formation permissions.