Applying Lake Formation permissions to existing databases and tables - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Applying Lake Formation permissions to existing databases and tables

If you are new to Athena and you use Lake Formation to configure access to query data, you do not need to configure IAM policies so that users can read Amazon S3 data and create metadata. You can use Lake Formation to administer permissions.

Registering data with Lake Formation and updating IAM permissions policies is not a requirement. If data is not registered with Lake Formation, Athena users who have appropriate permissions in Amazon S3—and Amazon Glue, if applicable—can continue to query data not registered with Lake Formation.

If you have existing Athena users who query data not registered with Lake Formation, you can update IAM permissions for Amazon S3—and the Amazon Glue Data Catalog, if applicable—so that you can use Lake Formation permissions to manage user access centrally. For permission to read Amazon S3 data locations, you can update resource-based and identity-based policies to modify Amazon S3 permissions. For access to metadata, if you configured resource-level policies for fine-grained access control with Amazon Glue, you can use Lake Formation permissions to manage access instead.

For more information, see Fine-grained access to databases and tables in the Amazon Glue Data Catalog and Upgrading Amazon Glue data permissions to the Amazon Lake Formation model in the Amazon Lake Formation Developer Guide.