Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Methods for fine-grained access control
With a data lake, the goal is to have fine-grained access control to data. In Lake Formation, this
means fine-grained access control to Data Catalog resources and Amazon S3 locations. You can achieve
fine-grained access control with one of the following methods.
Method |
Lake Formation Permissions |
IAM Permissions |
Comments |
Method 1 |
Open |
Fine-grained |
This is the default method for backward
compatibility with Amazon Glue.
-
Open means that the special permission
Super is granted to the group
IAMAllowedPrincipals , where IAMAllowedPrincipals is
automatically created and includes any IAM users and roles that are allowed
access to your Data Catalog resources by your IAM policies, and the
Super permission enables a principal to perform every supported
Lake Formation operation on the database or table on which it is granted. This
effectively causes access to Data Catalog resources and Amazon S3 locations to be
controlled solely by IAM policies. For more information, see Changing the default settings for your data
lake and Upgrading Amazon Glue data permissions to
the Amazon Lake Formation model.
-
Fine-grained means that IAM policies control all
access to Data Catalog resources and to individual Amazon S3 buckets.
On the Lake Formation console, this method appears as Use only IAM access
control.
|
Method 2 |
Fine-grained |
Coarse-grained |
This is the recommended method.
-
Fine-grained access means granting limited Lake Formation
permissions to individual principals on Data Catalog resources, Amazon S3 locations, and
the underlying data in those locations.
-
Coarse-grained means broader permissions on
individual operations and on access to Amazon S3 locations. For example, a
coarse-grained IAM policy might include "glue:*" or
"glue:Create*" rather than "glue:CreateTables" ,
leaving Lake Formation permissions to control whether or not a principal can create
catalog objects. It also means giving principals access to the APIs that they
need to do their work, but locking down other APIs and resources. For example,
you might create an IAM policy that enables a principal to create Data Catalog
resources and create and run workflows, but doesn't enable creation of Amazon Glue
connections or user-defined functions. See the examples later in this
section.
|
Be aware of the following:
-
By default, Lake Formation has the Use only IAM access control settings
enabled for compatibility with existing Amazon Glue Data Catalog behavior. We recommend that you
disable these settings after you transition to using Lake Formation permissions. For more
information, see Changing the default settings for your data
lake.
-
Data lake administrators and database creators have implicit Lake Formation permissions that
you must understand. For more information, see Implicit Lake Formation permissions.