IAM permissions required to grant or revoke Lake Formation permissions - AWS Lake Formation

IAM permissions required to grant or revoke Lake Formation permissions

All principals, including the data lake administrator, need the following AWS Identity and Access Management (IAM) permissions to grant or revoke AWS Lake Formation Data Catalog permissions or data location permissions with the Lake Formation API or the AWS CLI:

  • lakeformation:GrantPermissions

  • lakeformation:BatchGrantPermissions

  • lakeformation:RevokePermissions

  • lakeformation:BatchRevokePermissions

  • glue:GetTable or glue:GetDatabase for a table or database that you're granting permissions using the named resource method.

Note

Data lake administrators have implicit Lake Formation permissions to grant and revoke Lake Formation permissions. But they still need the IAM permissions on the Lake Formation grant and revoke API operations.

IAM roles with AWSLakeFormationDataAdmin AWS managed policy cannot add new data lake administrators because this policy contains an explicit deny for the Lake Formation API operation, PutDataLakeSetting.

The following IAM policy is recommended for principals who are not data lake administrators and who want to grant or revoke permissions using the Lake Formation console.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:ListPermissions",
                "lakeformation:GrantPermissions",
                "lakeformation:BatchGrantPermissions",
                "lakeformation:RevokePermissions",
                "lakeformation:BatchRevokePermissions",
                "glue:GetDatabases",
                "glue:SearchTables",
                "glue:GetTables",
                "glue:GetDatabase",
                "glue:GetTable",
                "iam:ListUsers",
                "iam:ListRoles",
                "sso-directory:DescribeUser",
                "sso-directory:DescribeGroup",
                "sso:DescribeInstance"
            ],
            "Resource": "*"
        }
    ]
}

All of the glue: and iam: permissions in this policy are available in the AWS managed policy AWSGlueConsoleFullAccess.

To grant permissions by using Lake Formation tag-based access control (LF-TBAC), principals need additional IAM permissions. For more information, see Lake Formation tag-based access control best practices and considerations and Lake Formation personas and IAM permissions reference.

Cross-account permissions

Users who want to grant cross-account Lake Formation permissions by using the named resource method must also have the permissions in the AWSLakeFormationCrossAccountManager AWS managed policy.

Data lake administrators need those same permissions for granting cross-account permissions, plus the AWS Resource Access Manager (AWS RAM) permission to enable granting permissions to organizations. For more information, see Data lake administrator permissions.

The administrative user

A principal with administrative permissions—for example, with the AdministratorAccess AWS managed policy—has permissions to grant Lake Formation permissions and create data lake administrators. To deny a user or role access to Lake Formation administrator operations, attach or add into its policy a Deny statement for administrator API operations.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lakeformation:GetDataLakeSettings",
                "lakeformation:PutDataLakeSettings"
            ],
            "Effect": "Deny",
            "Resource": [
                "*"
            ]
        }
    ]
}
Important

To prevent users from adding themselves as an administrator with an extract, transform, and load (ETL) script, make sure that all non-administrator users and roles are denied access to these API operations. The AWSLakeFormationDataAdmin AWS managed policy contains an explict deny for the Lake Formation API operation, PutDataLakeSetting that prevents users from adding new data lake administrators.