Encryption at Rest
Amazon Lake Formation supports data encryption in the following areas:
-
Data in your Amazon Simple Storage Service (Amazon S3) data lake.
Lake Formation supports data encryption with Amazon Key Management Service
(Amazon KMS). Data is typically written to the data lake by means of Amazon Glue extract, transform, and load (ETL) jobs. For information about how to encrypt data written by Amazon Glue jobs, see Encrypting Data Written by Crawlers, Jobs, and Development Endpoints in the Amazon Glue Developer Guide. -
The Amazon Glue Data Catalog, which is where Lake Formation stores metadata tables that describe data in the data lake.
For more information, see Encrypting Your Data Catalog in the Amazon Glue Developer Guide.
To add an Amazon S3 location as storage in your data lake, you register the location with Amazon Lake Formation. You can then use Lake Formation permissions for fine-grained access control to Amazon Glue Data Catalog objects that point to this location, and to the underlying data in the location.
Lake Formation supports registering an Amazon S3 location that contains encrypted data. For more information, see Registering an encrypted Amazon S3 location.