Attribute-based access control considerations, limitations, and supported regions - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Attribute-based access control considerations, limitations, and supported regions

The following considerations and limitations apply to Attribute based access control (ABAC).

  • ABAC doesn’t support granting access using LF-Tag policies.

  • Grantable permissions are not available with ABAC.

  • ABAC doesn’t support granting permissions to IAM Identity Center users.

  • When using ABAC grants on a table in Lake Formation, Lake Formation doesn't grant DESCRIBE permissions to the parent database or catalog. This differs from non-ABAC scenarios, where Lake Formation provides implicit DESCRIBE permissions to parent resources.

  • All principals with the AmazonDataZoneProject tag key are always treated as opted in to Lake Formation for all Data Catalog resources.

  • ABAC supports only string attributes.