Roles and responsibilities in Lake Formation application integration

The following are the roles and their associated responsibilities for enabling third-party application integration with AWS Lake Formation.

Role	Responsibility
The customer	Enable Lake Formation application integration setting (see Registering a third-party query engine). Explicitly registers approved third parties with Lake Formation (see Registering a third-party query engine). Tests and validates third-party solutions with Lake Formation permissions. Monitors and audits third-party usage of Lake Formation credential vending API operations.
The third-party	Publicly documents the supported capability for every software revision and provides instructions to enable it correctly. Accurately advertises the supported capabilities when calling Lake Formation credential vending API operations (according to the documentation). Securely stores and handles vended credentials to avoid credential leaks and privilege escalation. Enforces permissions based on supported capabilities and returns only filtered data to users Fails the query when unable to properly enforce required permissions
`AWS Lake Formation`	Correctly derives and returns effective permissions for a given principal. Validates third-party supported capabilities on an API operation call-by-call basis. Returns scoped-down IAM credentials only when the engine’s advertised capabilities match those defined on the catalog resources, otherwise returns an error.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

How Lake Formation application integration works

Lake Formation workflow for application integration API operations