Prerequisites for setting up hybrid access mode - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites for setting up hybrid access mode

The following are the prerequisites for setting up hybrid access mode:

Note

We recommend that a Lake Formation administrator registers the Amazon S3 location in hybrid access mode, and opt in principals and resources.

  1. Grant data location permission (DATA_LOCATION_ACCESS) to create Data Catalog resources that point to the Amazon S3 locations. Data location permissions control the ability to create Data Catalog databases and tables that point to particular Amazon S3 locations.

  2. To share Data Catalog resources with another account in hybrid access mode (without removing IAMAllowedPrincipals group permissions from the resource), you need to update the Cross account version settings to Version 4. To update the version using Lake Formation console, choose Version 4 under Cross account version settings on the Data Catalog settings page.

    You can also use the put-data-lake-settings Amazon CLI command to set the CROSS_ACCOUNT_VERSION parameter to version 4:

    aws lakeformation put-data-lake-settings --region us-east-1 --data-lake-settings file://settings { "DataLakeAdmins": [ { "DataLakePrincipalIdentifier": "arn:aws:iam::<111122223333>:user/<user-name>" } ], "CreateDatabaseDefaultPermissions": [], "CreateTableDefaultPermissions": [], "Parameters": { "CROSS_ACCOUNT_VERSION": "4" } }
  3. 
To grant cross-account permissions in hybrid access mode, the grantor must have the required IAM permissions for Amazon Glue and Amazon RAM services. The Amazon managed policy AWSLakeFormationCrossAccountManager grants the required permissions.
 To enable cross-account data sharing in hybrid access mode, we’ve updated the AWSLakeFormationCrossAccountManager managed policy by adding two new IAM permissions:

    • ram:ListResourceSharePermissions

    • ram:AssociateResourceSharePermission

    Note

    If you are not using the Amazon managed policy for the grantor role, add the above policies to your custom policies.