Step 2: Add permissions to read Amazon CloudTrail logs to the workflow role - Amazon Lake Formation

Step 2: Add permissions to read Amazon CloudTrail logs to the workflow role

Attach the following inline policy to the role LakeFormationWorkflowRole. The policy grants permission to read your Amazon CloudTrail logs. Name the policy DatalakeGetCloudTrail.

To create the LakeFormationWorkflowRole role, see (Optional) Create an IAM role for workflows.

Important
Replace <your-s3-cloudtrail-bucket> with the Amazon S3 location of your CloudTrail data.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": ["arn:aws:s3:::<your-s3-cloudtrail-bucket>/*"]
        }
    ]
}
```
Verify that there are three policies attached to the role.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Step 1: Create a data analyst user

Step 3: Create an Amazon S3 bucket for the data lake