Cross-account permission cascading - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cross-account permission cascading

When you share data across Amazon accounts using LF-Tag policies, Amazon Lake Formation enables permission cascading through two primary delegation mechanisms. These mechanisms allow consumer account administrators to grant access to users and roles without requiring the producer account to manage individual permissions for each consumer.

  • Delegation with identical LF-Tag policies – When the LF-Tag policy is exactly the same as the LF-Tag policy used by the producer account to share resources with the consumer account, principals can cascade permissions using the grantable permissions (PermissionsWithGrantOption). This allows the principal in the consumer account to grant the same permissions to other principals within their account.

  • Alternative delegation using DESCRIBE permissions – Principals in the consumer account can cascade permissions without requiring grantable permissions (PermissionsWithGrantOption) if they have DESCRIBE permissions on tag-value pairs. This approach only works when producer and consumer accounts have different permissions policies.

Understanding these delegation mechanisms is important for proper cross-account data sharing and security management. They determine how permissions flow from data owners to consumers.

Topics