Lake Formation personas and IAM permissions reference
This section lists some suggested Lake Formation personas and their suggested Amazon Identity and Access Management (IAM) permissions. For information about Lake Formation permissions, see Lake Formation permissions reference.
Amazon Lake Formation personas
The following table lists the suggested Amazon Lake Formation personas.
Lake Formation Personas | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Persona | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
IAM administrator (superuser) | (Required) User who can create IAM users and roles. Has the
AdministratorAccess Amazon managed policy. Has all
permissions on all Lake Formation resources. Can add data lake administrators.
Cannot grant Lake Formation permissions if not also designated a data lake
administrator. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Data lake administrator | (Required) User who can register Amazon S3 locations, access the Data Catalog, create databases, create and run workflows, grant Lake Formation permissions to other users, and view Amazon CloudTrail logs. Has fewer IAM permissions than the IAM administrator, but enough to administer the data lake. Cannot add other data lake administrators. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Read only administrator | (Optional) User who can view principals, Data Catalog resources, permissions, and Amazon CloudTrail logs, without the permissions to make updates. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Data engineer | (Optional) User who can create databases, create and run crawlers and workflows, and grant Lake Formation permissions on the Data Catalog tables that the crawlers and workflows create. We recommend that you make all data engineers database creators. For more information, see Creating a database. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Data analyst | (Optional) User who can run queries against the data lake using, for example, Amazon Athena. Has only enough permissions to run queries. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Workflow role | (Required) Role that runs a workflow on behalf of a user. You specify this role when you create a workflow from a blueprint. |
Amazon managed policies for Lake Formation
You can grant the Amazon Identity and Access Management (IAM) permissions that are required to work with Amazon Lake Formation by using Amazon managed policies and inline policies. The following Amazon managed policies are available for Lake Formation.
Amazon managed policy:AWSLakeFormationDataAdmin
AWSLakeFormationDataAdmin
You can attach AWSLakeFormationDataAdmin
to your users, groups, and roles.
Permission details
CloudTrail
– Allows principals to view Amazon CloudTrail logs. This is required to review any errors in the set up of the data lake.-
Glue
– Allows principals to view, create, and update metadata tables and databases in Data Catalog. This includes API operations that start withGet
,List
,Create
,Update
,Delete
, andSearch
. This is required to manage the metadata of the data lake tables. IAM
– Allows principals to retrieve information about IAM users, roles, and policies attached to the roles. This is required for the data admin to review and list IAM users and roles to grant Lake Formation permissions.Lake Formation
– Grants data lake admins required Lake Formation permissions to manage data lakes.S3
– Allows principals to retrieve information about Amazon S3 buckets and their locations in order to set up the data location for data lakes.
"Statement": [ { "Sid": "AWSLakeFormationDataAdminAllow", "Effect": "Allow", "Action": [ "lakeformation:*", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "glue:GetDatabase", "glue:GetDatabases", "glue:CreateDatabase", "glue:UpdateDatabase", "glue:DeleteDatabase", "glue:GetConnections", "glue:SearchTables", "glue:GetTable", "glue:CreateTable", "glue:UpdateTable", "glue:DeleteTable", "glue:GetTableVersions", "glue:GetPartitions", "glue:GetTables", "glue:ListWorkflows", "glue:BatchGetWorkflows", "glue:DeleteWorkflow", "glue:GetWorkflowRuns", "glue:StartWorkflowRun", "glue:GetWorkflow", "s3:ListBucket", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "iam:ListUsers", "iam:ListRoles", "iam:GetRole", "iam:GetRolePolicy" ], "Resource": "*" }, { "Sid": "AWSLakeFormationDataAdminDeny", "Effect": "Deny", "Action": [ "lakeformation:PutDataLakeSettings" ], "Resource": "*" } ] }
Note
The AWSLakeFormationDataAdmin
policy does not grant every required
permission for data lake administrators. Additional permissions are needed to create and run
workflows and register locations with the service linked role
AWSServiceRoleForLakeFormationDataAccess
. For more information, see Create a data lake administrator and Using service-linked roles for Lake Formation.
Amazon managed policy:AWSLakeFormationCrossAccountManager
AWSLakeFormationCrossAccountManager
You can attach AWSLakeFormationCrossAccountManager
to your users, groups, and roles.
Permission details
This policy includes the following permissions.
Glue
– Allows principals to set or delete the Data Catalog resource policy for access control.Organizations
– Allows principals to retrieve account and organizational unit (OU) information for an organization.ram:CreateResourceShare
– Allows principals to create a resource share.ram:UpdateResourceShare
–Allows principals to modify some properties of the specified resource share.-
ram:DeleteResourceShare
– Allows principals to delete the specified resource share. ram:AssociateResourceShare
– Allows principals to add the specified list of principals and list of resources to a resource share.ram:DisassociateResourceShare
– Allows principals to remove the specified principals or resources from participating in the specified resource share.ram:GetResourceShares
– Allows principals to retrieve details about the resource shares that you own or that are shared with you.ram:RequestedResourceType
– Allows principals to retrieve the resource type (database, table or catalog).AssociateResourceSharePermission
– Allows principals to add or replace the Amazon RAM permission for a resource type included in a resource share. You can have exactly one permission associated with each resource type in the resource share.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowCreateResourceShare", "Effect": "Allow", "Action": [ "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "ram:RequestedResourceType": [ "glue:Table", "glue:Database", "glue:Catalog" ] } } }, { "Sid": "AllowManageResourceShare", "Effect": "Allow", "Action": [ "ram:UpdateResourceShare", "ram:DeleteResourceShare", "ram:AssociateResourceShare", "ram:DisassociateResourceShare", "ram:GetResourceShares" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": [ "LakeFormation*" ] } } }, { "Sid": "AllowManageResourceSharePermissions", "Effect": "Allow", "Action": [ "ram:AssociateResourceSharePermission" ], "Resource": "*", "Condition": { "StringLike": { "ram:PermissionArn": [ "arn:aws:ram::aws:permission/AWSRAMLFEnabled*" ] } } }, { "Sid": "AllowXAcctManagerPermissions", "Effect": "Allow", "Action": [ "glue:PutResourcePolicy", "glue:DeleteResourcePolicy", "organizations:DescribeOrganization", "organizations:DescribeAccount", "ram:Get*", "ram:List*" ], "Resource": "*" }, { "Sid": "AllowOrganizationsPermissions", "Effect": "Allow", "Action": [ "organizations:ListRoots", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent" ], "Resource": "*" } ] }
Amazon managed policy:AWSGlueConsoleFullAccess
AWSGlueConsoleFullAccess
In addition, Amazon Glue and Lake Formation assume the service role AWSGlueServiceRole
to
allow access to related services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and
Amazon CloudWatch.
Amazon managed policy:LakeFormationDataAccessServiceRolePolicy
This policy is attached to a service-linked role named
ServiceRoleForLakeFormationDataAccess
that allows the service
to perform actions on resources at your request. You can't attach this policy to
your IAM identities.
This policy allows the Lake Formation integrated Amazon services such as Amazon Athena or Amazon Redshift to use the service-linked role to discover Amazon S3 resources.
For more information see, Using service-linked roles for Lake Formation.
Permission details
This policy includes the following permission.
-
s3:ListAllMyBuckets
– Returns a list of all buckets owned by the authenticated sender of the request.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "LakeFormationDataAccessServiceRolePolicy", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "arn:aws:s3:::*" ] } ] }
Lake Formation updates to Amazon managed policies
View details about updates to Amazon managed policies for Lake Formation since this service began tracking these changes.
Change | Description | Date |
---|---|---|
Lake Formation updated AWSLakeFormationCrossAccountManager
policy. |
Lake Formation enhanced the AWSLakeFormationCrossAccountManager |
March, 2024 |
Lake Formation updated AWSLakeFormationDataAdmin
policy. |
Lake Formation enhanced the AWSLakeFormationDataAdmin |
March, 2024 |
Lake Formation updated LakeFormationDataAccessServiceRolePolicy
policy. |
Lake Formation enhanced the LakeFormationDataAccessServiceRolePolicy |
February, 2024 |
Lake Formation updated AWSLakeFormationCrossAccountManager policy.
|
Lake Formation enhanced the AWSLakeFormationCrossAccountManager |
October, 2023 |
Lake Formation updated AWSLakeFormationCrossAccountManager policy.
|
Lake Formation enhanced the AWSLakeFormationCrossAccountManager |
May 6, 2022 |
Lake Formation started tracking changes. | Lake Formation started tracking changes for its Amazon managed policies. | May 6, 2022 |
Personas suggested permissions
The following are the suggested permissions for each persona. The IAM administrator is not included because that user has all permissions on all resources.
Topics
Data lake administrator permissions
Important
In the following policies, replace <account-id>
with
a valid Amazon account number, and replace <workflow_role>
with the name of a role that has permissions to run a workflow, as defined in
Workflow role permissions.
Policy Type | Policy |
---|---|
Amazon managed policies |
For information about the optional Amazon managed policies, see Create a data lake administrator. |
Inline policy (for creating the Lake Formation service-linked role) |
|
(Optional) Inline policy (passrole policy for the workflow role). This is required only if the data lake administrator creates and runs workflows. |
|
(Optional) Inline policy (if your account is granting or
receiving cross-account Lake Formation permissions). This policy is for
accepting or rejecting Amazon RAM resource share invitations, and for
enabling the granting of cross-account permissions to organizations.
ram:EnableSharingWithAwsOrganization is required
only for data lake administrators in the Amazon Organizations
management account. |
|
Read only administrator permissions
Policy type | Policy |
---|---|
Inline policy (basic) |
|
Data engineer permissions
Important
In the following policies, replace <account-id>
with
a valid Amazon account number, and replace <workflow_role>
with the name of the workflow role.
Policy Type | Policy |
---|---|
Amazon managed policy | AWSGlueConsoleFullAccess |
Inline policy (basic) |
|
Inline policy (for operations on governed tables, including operations within transactions) |
|
Inline policy (for metadata access control using the Lake Formation tag-based access control (LF-TBAC) method) |
|
Inline policy (passrole policy for the workflow role) |
|
Data analyst permissions
Policy Type | Policy |
---|---|
Amazon managed policy | AmazonAthenaFullAccess |
Inline policy (basic) |
|
(Optional) Inline policy (for operations on governed tables, including operations within transactions) |
|
Workflow role permissions
This role has the permissions required to run a workflow. You specify a role with these permissions when you create a workflow.
Important
In the following policies, replace <region>
with a
valid Amazon Region identifier (for example us-east-1
),
<account-id>
with a valid Amazon account number,
<workflow_role>
with the name of the workflow role,
and <your-s3-cloudtrail-bucket>
with the Amazon S3 path to
your Amazon CloudTrail logs.
Policy Type | Policy |
---|---|
Amazon managed policy | AWSGlueServiceRole |
Inline policy (data access) |
|
Inline policy (passrole policy for the workflow role) |
|
Inline policy (for ingesting data outside the data lake, for example, Amazon CloudTrail logs) |
|