Data sharing using tag-based access control - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data sharing using tag-based access control

Amazon Lake Formation tag-based access control (LF-TBAC) is an authorization strategy that defines permissions based on attributes. The following steps explain how to grant cross-account permissions by using LF-Tags.

Set up required on the producer/grantor account

  1. Define an LF tag. For instructions to create an LF-Tag, see Creating LF-Tags.

  2. Assign the LF-Tag to the target resource. For more information, see Assigning LF-Tags to Data Catalog resources.

  3. Grant LF-Tag permission to the external account. For more information, see Granting LF-Tag permissions using the console.

    At this point, the consumer data lake administrator should be able to find the policy tag being shared via the grantee account Lake Formation console, under Permissions, Administrative roles and tasks, LF-Tags.

  4. Grant data permission to the external/grantee account.

    1. In the navigation pane, under Permissions,Data lake permissions, choose Grant.

    2. For Principals, choose External accounts, and enter the target Amazon Web Services account ID or the IAM role of the principal or the Amazon Resource Name (ARN) for the principal (principal ARN).

    3. For LF-Tags or catalog resources, choose the key and values of the LF-Tag that is being shared with the consumer account (key Confidentiality and value public).

    4. For Permissions, under Resources matched by LF-Tags (recommended) choose Add LF-Tag.

    5. Select the key and value of the tag that is being shared with the grantee account (key Confidentiality and value public).

    6. For Database permissions, select Describe under Database permissions to grant access permissions at the database level.

    7. The consumer data lake administrator should be able to find the policy tag being shared via the consumer account on the Lake Formation console at https://console.amazonaws.cn/lakeformation/, under Permissions, Administrative roles and tasks, LF-Tags.

    8. Select Describe under Grantable permissions so the consumer account can grant database-level permissions to its users.

      Because the data lake administrator must grant permissions on shared resources to the principals in the grantee account, cross-account permissions must always be granted with the grant option.

      Note

      Principals who receive direct cross-account grants will not have the Grantable permissions option.

    9. For Table and column permissions, select Select and Describe under Table permissions.

    10. Select Select and Describe under Grantable permissions.

    11. Choose Grant.

Set up required on the receiving/grantee account

  1. When you share a resource with another account, the resource still belongs to the producer account and is not visible within the Athena console. To make the resource visible in the Athena console, you need to create a resource link pointing to the shared resource. For instructions on creating a resource link, see Creating a resource link to a shared Data Catalog table and Creating a resource link to a shared Data Catalog database

  2. You need to create a separate set of LF-Tags in the consumer account to use LF tag-based access control when sharing the resource links. Create and assign the required LF-Tags to the shared database/tables and the resource links.

  3. Grant permissions on these LF-Tags to the IAM principals in the grantee account.