Lake Formation personas and IAM permissions reference - Amazon Lake Formation
Amazon Lake Formation personasAmazon managed policies for Lake FormationPersonas suggested permissions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Lake Formation personas and IAM permissions reference

This section lists some suggested Lake Formation personas and their suggested Amazon Identity and Access Management (IAM) permissions. For information about Lake Formation permissions, see Lake Formation permissions reference.

Amazon Lake Formation personas

The following table lists the suggested Amazon Lake Formation personas.

Lake Formation Personas
Persona Description
IAM administrator (superuser) (Required) User who can create IAM users and roles. Has the AdministratorAccess Amazon managed policy. Has all permissions on all Lake Formation resources. Can add data lake administrators. Cannot grant Lake Formation permissions if not also designated a data lake administrator.
Data lake administrator (Required) User who can register Amazon S3 locations, access the Data Catalog, create databases, create and run workflows, grant Lake Formation permissions to other users, and view Amazon CloudTrail logs. Has fewer IAM permissions than the IAM administrator, but enough to administer the data lake. Cannot add other data lake administrators.
Read only administrator (Optional) User who can view principals, Data Catalog resources, permissions, and Amazon CloudTrail logs, without the permissions to make updates.
Data engineer (Optional) User who can create databases, create and run crawlers and workflows, and grant Lake Formation permissions on the Data Catalog tables that the crawlers and workflows create. We recommend that you make all data engineers database creators. For more information, see Creating a database.
Data analyst (Optional) User who can run queries against the data lake using, for example, Amazon Athena. Has only enough permissions to run queries.
Workflow role (Required) Role that runs a workflow on behalf of a user. You specify this role when you create a workflow from a blueprint.

Amazon managed policies for Lake Formation

You can grant the Amazon Identity and Access Management (IAM) permissions that are required to work with Amazon Lake Formation by using Amazon managed policies and inline policies. The following Amazon managed policies are available for Lake Formation.

Amazon managed policy:AWSLakeFormationDataAdmin

AWSLakeFormationDataAdmin policy grants administrative access to Amazon Lake Formation and related services such as Amazon Glue to manage data lakes.

You can attach AWSLakeFormationDataAdmin to your users, groups, and roles.

Permission details

  • CloudTrail – Allows principals to view Amazon CloudTrail logs. This is required to review any errors in the set up of the data lake.

  • Glue – Allows principals to view, create, and update metadata tables and databases in Data Catalog. This includes API operations that start with Get, List, Create, Update, Delete, and Search. This is required to manage the metadata of the data lake tables.

  • IAM – Allows principals to retrieve information about IAM users, roles, and policies attached to the roles. This is required for the data admin to review and list IAM users and roles to grant Lake Formation permissions.

  • Lake Formation – Grants data lake admins required Lake Formation permissions to manage data lakes.

  • S3 – Allows principals to retrieve information about Amazon S3 buckets and their locations in order to set up the data location for data lakes.

"Statement": [
        {
            "Sid": "AWSLakeFormationDataAdminAllow",
            "Effect": "Allow",
            "Action": [
                "lakeformation:*",
                "cloudtrail:DescribeTrails",
                "cloudtrail:LookupEvents",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:CreateDatabase",
                "glue:UpdateDatabase",
                "glue:DeleteDatabase",
                "glue:GetConnections",
                "glue:SearchTables",
                "glue:GetTable",
                "glue:CreateTable",
                "glue:UpdateTable",
                "glue:DeleteTable",
                "glue:GetTableVersions",
                "glue:GetPartitions",
                "glue:GetTables",
                "glue:ListWorkflows",
                "glue:BatchGetWorkflows",
                "glue:DeleteWorkflow",
                "glue:GetWorkflowRuns",
                "glue:StartWorkflowRun",
                "glue:GetWorkflow",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "s3:GetBucketAcl",
                "iam:ListUsers",
                "iam:ListRoles",
                "iam:GetRole",
                "iam:GetRolePolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AWSLakeFormationDataAdminDeny",
            "Effect": "Deny",
            "Action": [
                "lakeformation:PutDataLakeSettings"
            ],
                "Resource": "*"
        }
    ]
}
Note

The AWSLakeFormationDataAdmin policy does not grant every required permission for data lake administrators. Additional permissions are needed to create and run workflows and register locations with the service linked role AWSServiceRoleForLakeFormationDataAccess. For more information, see Create a data lake administrator and Using service-linked roles for Lake Formation.

Amazon managed policy:AWSLakeFormationCrossAccountManager

AWSLakeFormationCrossAccountManager policy provides cross account access to Amazon Glue resources via Lake Formation, and grants read access to other required services such as Amazon Organizations and Amazon RAM.

You can attach AWSLakeFormationCrossAccountManager to your users, groups, and roles.

Permission details

This policy includes the following permissions.

  • Glue – Allows principals to set or delete the Data Catalog resource policy for access control.

  • Organizations – Allows principals to retrieve account and organizational unit (OU) information for an organization.

  • ram:CreateResourceShare – Allows principals to create a resource share.

  • ram:UpdateResourceShare –Allows principals to modify some properties of the specified resource share.

  • ram:DeleteResourceShare – Allows principals to delete the specified resource share.

  • ram:AssociateResourceShare – Allows principals to add the specified list of principals and list of resources to a resource share.

  • ram:DisassociateResourceShare – Allows principals to remove the specified principals or resources from participating in the specified resource share.

  • ram:GetResourceShares– Allows principals to retrieve details about the resource shares that you own or that are shared with you.

  • ram:RequestedResourceType – Allows principals to retrieve the resource type (database, table or catalog).

  • AssociateResourceSharePermission – Allows principals to add or replace the Amazon RAM permission for a resource type included in a resource share. You can have exactly one permission associated with each resource type in the resource share.

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "AllowCreateResourceShare",
            "Effect": "Allow",
            "Action": [
                "ram:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringLikeIfExists": {
                    "ram:RequestedResourceType": [
                        "glue:Table",
                        "glue:Database",
                        "glue:Catalog"
                    ]
                }
            }
        },
        {
            "Sid": "AllowManageResourceShare",
            "Effect": "Allow",
            "Action": [
                "ram:UpdateResourceShare",
                "ram:DeleteResourceShare",
                "ram:AssociateResourceShare",
                "ram:DisassociateResourceShare",
                "ram:GetResourceShares"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ram:ResourceShareName": [
                        "LakeFormation*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowManageResourceSharePermissions",
            "Effect": "Allow",
            "Action": [
                "ram:AssociateResourceSharePermission"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ram:PermissionArn": [
                        "arn:aws:ram::aws:permission/AWSRAMLFEnabled*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowXAcctManagerPermissions",
            "Effect": "Allow",
            "Action": [
                "glue:PutResourcePolicy",
                "glue:DeleteResourcePolicy",
                "organizations:DescribeOrganization",
                "organizations:DescribeAccount",
                "ram:Get*",
                "ram:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowOrganizationsPermissions",
            "Effect": "Allow",
            "Action": [
                "organizations:ListRoots",
                "organizations:ListAccountsForParent",
                "organizations:ListOrganizationalUnitsForParent"
            ],
            "Resource": "*"
        }
    ]
}

Amazon managed policy:AWSGlueConsoleFullAccess

AWSGlueConsoleFullAccess policy grants full access to Amazon Glue resources when an identity that the policy is attached to uses the Amazon Web Services Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console.

In addition, Amazon Glue and Lake Formation assume the service role AWSGlueServiceRole to allow access to related services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon CloudWatch.

Amazon managed policy:LakeFormationDataAccessServiceRolePolicy

This policy is attached to a service-linked role named ServiceRoleForLakeFormationDataAccess that allows the service to perform actions on resources at your request. You can't attach this policy to your IAM identities.

This policy allows the Lake Formation integrated Amazon services such as Amazon Athena or Amazon Redshift to use the service-linked role to discover Amazon S3 resources.

For more information see, Using service-linked roles for Lake Formation.

Permission details

This policy includes the following permission.

  • s3:ListAllMyBuckets – Returns a list of all buckets owned by the authenticated sender of the request.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "LakeFormationDataAccessServiceRolePolicy",
			"Effect": "Allow",
			"Action": [
				"s3:ListAllMyBuckets"
			],
			"Resource": [
				"arn:aws:s3:::*"
			]
		}
	]
}
Lake Formation updates to Amazon managed policies

View details about updates to Amazon managed policies for Lake Formation since this service began tracking these changes.

Change Description Date
Lake Formation updated AWSLakeFormationCrossAccountManager policy. Lake Formation enhanced the AWSLakeFormationCrossAccountManager policy by adding Sid elements to the policy statement. March, 2024
Lake Formation updated AWSLakeFormationDataAdmin policy. Lake Formation enhanced the AWSLakeFormationDataAdmin policy by adding a Sid element to the policy statement and removing a redundant action. March, 2024
Lake Formation updated LakeFormationDataAccessServiceRolePolicy policy. Lake Formation enhanced the LakeFormationDataAccessServiceRolePolicy policy by adding a Sid element to the policy statement. February, 2024
Lake Formation updated AWSLakeFormationCrossAccountManager policy. Lake Formation enhanced the AWSLakeFormationCrossAccountManager policy by adding a new permission to enable cross-account data sharing in hybrid access mode. October, 2023
Lake Formation updated AWSLakeFormationCrossAccountManager policy. Lake Formation enhanced the AWSLakeFormationCrossAccountManager policy to create only one resource share per recipient account when the a resource is first shared. All resources shared thereafter with the same account are attached to the same resource share. May 6, 2022
Lake Formation started tracking changes. Lake Formation started tracking changes for its Amazon managed policies. May 6, 2022

Personas suggested permissions

The following are the suggested permissions for each persona. The IAM administrator is not included because that user has all permissions on all resources.

Data lake administrator permissions

Important

In the following policies, replace <account-id> with a valid Amazon account number, and replace <workflow_role> with the name of a role that has permissions to run a workflow, as defined in Workflow role permissions.

Policy Type Policy
Amazon managed policies

  • AWSLakeFormationDataAdmin

  • LakeFormationDataAccessServiceRolePolicy (service-linked role policy)

  • AWSGlueConsoleFullAccess (Optional)

  • CloudWatchLogsReadOnlyAccess (Optional)

  • AWSLakeFormationCrossAccountManager (Optional)

  • AmazonAthenaFullAccess (Optional)

For information about the optional Amazon managed policies, see Create a data lake administrator.
Inline policy (for creating the Lake Formation service-linked role) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "lakeformation.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::<account-id>:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess"
        }
    ]
}
(Optional) Inline policy (passrole policy for the workflow role). This is required only if the data lake administrator creates and runs workflows. 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PassRolePermissions",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::<account-id>:role/<workflow_role>"
            ]
        }
    ]
}
(Optional) Inline policy (if your account is granting or receiving cross-account Lake Formation permissions). This policy is for accepting or rejecting Amazon RAM resource share invitations, and for enabling the granting of cross-account permissions to organizations. ram:EnableSharingWithAwsOrganization is required only for data lake administrators in the Amazon Organizations management account. 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ram:AcceptResourceShareInvitation",
                "ram:RejectResourceShareInvitation",
                "ec2:DescribeAvailabilityZones",
                "ram:EnableSharingWithAwsOrganization"
            ],
            "Resource": "*"
        }
    ]
}

Read only administrator permissions

Policy type Policy
Inline policy (basic) 
{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Effect":"Allow",
         "Action":[  
            "lakeformation:GetEffectivePermissionsForPath",
            "lakeformation:ListPermissions",
            "lakeformation:ListDataCellsFilter",
            "lakeformation:GetDataCellsFilter",
            "lakeformation:SearchDatabasesByLFTags",
            "lakeformation:SearchTablesByLFTags",
            "lakeformation:GetLFTag",
            "lakeformation:ListLFTags",
            "lakeformation:GetResourceLFTags",
            "lakeformation:ListLakeFormationOptins",
            "cloudtrail:DescribeTrails",
            "cloudtrail:LookupEvents",
            "glue:GetDatabase",
            "glue:GetDatabases",
            "glue:GetConnections",
            "glue:SearchTables",
            "glue:GetTable",
            "glue:GetTableVersions",
            "glue:GetPartitions",
            "glue:GetTables",
            "glue:GetWorkflow",
            "glue:ListWorkflows",
            "glue:BatchGetWorkflows",
            "glue:GetWorkflowRuns",
            "glue:GetWorkflow",
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:ListAllMyBuckets",
            "s3:GetBucketAcl",
            "iam:ListUsers",
            "iam:ListRoles",
            "iam:GetRole",
            "iam:GetRolePolicy"
         ],
         "Resource":"*"
      },
      {  
         "Effect":"Deny",
         "Action":[  
            "lakeformation:PutDataLakeSettings"
         ],
         "Resource":"*"
      }
   ]
}

Data engineer permissions

Important

In the following policies, replace <account-id> with a valid Amazon account number, and replace <workflow_role> with the name of the workflow role.

Policy Type Policy
Amazon managed policy AWSGlueConsoleFullAccess
Inline policy (basic) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:GetDataAccess",
                "lakeformation:GrantPermissions",
                "lakeformation:RevokePermissions",
                "lakeformation:BatchGrantPermissions",
                "lakeformation:BatchRevokePermissions",
                "lakeformation:ListPermissions",
                "lakeformation:AddLFTagsToResource",
                "lakeformation:RemoveLFTagsFromResource",
                "lakeformation:GetResourceLFTags",
                "lakeformation:ListLFTags",
                "lakeformation:GetLFTag",
                "lakeformation:SearchTablesByLFTags",
                "lakeformation:SearchDatabasesByLFTags",
                "lakeformation:GetWorkUnits",
                "lakeformation:GetWorkUnitResults",
                "lakeformation:StartQueryPlanning",
                "lakeformation:GetQueryState",
                "lakeformation:GetQueryStatistics"
            ],
            "Resource": "*"
        }
    ]
}
Inline policy (for operations on governed tables, including operations within transactions) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:StartTransaction",
                "lakeformation:CommitTransaction",
                "lakeformation:CancelTransaction",
                "lakeformation:ExtendTransaction",
                "lakeformation:DescribeTransaction",
                "lakeformation:ListTransactions",
                "lakeformation:GetTableObjects",
                "lakeformation:UpdateTableObjects",
                "lakeformation:DeleteObjectsOnCancel"
            ],
            "Resource": "*"
        }
    ]
}
Inline policy (for metadata access control using the Lake Formation tag-based access control (LF-TBAC) method) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:AddLFTagsToResource",
                "lakeformation:RemoveLFTagsFromResource",
                "lakeformation:GetResourceLFTags",
                "lakeformation:ListLFTags",
                "lakeformation:GetLFTag",
                "lakeformation:SearchTablesByLFTags",
                "lakeformation:SearchDatabasesByLFTags"
            ],
            "Resource": "*"
        }
    ]
}
Inline policy (passrole policy for the workflow role) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PassRolePermissions",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::<account-id>:role/<workflow_role>"
            ]
        }
    ]
}

Data analyst permissions

Policy Type Policy
Amazon managed policy AmazonAthenaFullAccess
Inline policy (basic) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:GetDataAccess",
                "glue:GetTable",
                "glue:GetTables",
                "glue:SearchTables",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetPartitions",
                "lakeformation:GetResourceLFTags",
                "lakeformation:ListLFTags",
                "lakeformation:GetLFTag",
                "lakeformation:SearchTablesByLFTags",
                "lakeformation:SearchDatabasesByLFTags"                
           ],
            "Resource": "*"
        }
    ]
}
(Optional) Inline policy (for operations on governed tables, including operations within transactions) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:StartTransaction",
                "lakeformation:CommitTransaction",
                "lakeformation:CancelTransaction",
                "lakeformation:ExtendTransaction",
                "lakeformation:DescribeTransaction",
                "lakeformation:ListTransactions",
                "lakeformation:GetTableObjects",
                "lakeformation:UpdateTableObjects",
                "lakeformation:DeleteObjectsOnCancel"
            ],
            "Resource": "*"
        }
    ]
}

Workflow role permissions

This role has the permissions required to run a workflow. You specify a role with these permissions when you create a workflow.

Important

In the following policies, replace <region> with a valid Amazon Region identifier (for example us-east-1), <account-id> with a valid Amazon account number, <workflow_role> with the name of the workflow role, and <your-s3-cloudtrail-bucket> with the Amazon S3 path to your Amazon CloudTrail logs.

Policy Type Policy
Amazon managed policy AWSGlueServiceRole
Inline policy (data access) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Lakeformation",
            "Effect": "Allow",
            "Action": [
                 "lakeformation:GetDataAccess",
                 "lakeformation:GrantPermissions"
             ],
            "Resource": "*"
        }
    ]
}
Inline policy (passrole policy for the workflow role) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PassRolePermissions",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::<account-id>:role/<workflow_role>"
            ]
        }
    ]
}
Inline policy (for ingesting data outside the data lake, for example, Amazon CloudTrail logs) 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:GetObject", "s3:ListBucket"],
            "Resource": ["arn:aws:s3:::<your-s3-cloudtrail-bucket>/*"]
        }
    ]
}