Registering an encrypted Amazon S3 location

Lake Formation integrates with Amazon Key Management Service (Amazon KMS) to enable you to more easily set up other integrated services to encrypt and decrypt data in Amazon Simple Storage Service (Amazon S3) locations.

Both customer managed Amazon KMS keys and Amazon managed keys are supported. Currently, client-side encryption/decryption is supported only with Athena.

You must specify an Amazon Identity and Access Management (IAM) role when you register an Amazon S3 location. For encrypted Amazon S3 locations, either the role must have permission to encrypt and decrypt data with the Amazon KMS key, or the KMS key policy must grant permissions on the key to the role.

Important

Avoid registering an Amazon S3 bucket that has Requester pays enabled. For buckets registered with Lake Formation, the role used to register the bucket is always viewed as the requester. If the bucket is accessed by another Amazon account, the bucket owner is charged for data access if the role belongs to the same account as the bucket owner.

The simplest way to register the location is to use the Lake Formation service-linked role. This role grants the required read/write permissions on the location. You may also use a custom role to register the location, provided that it meets the requirements in Requirements for roles used to register locations.

Important

If you used an Amazon managed key (aws/s3) to encrypt the Amazon S3 location, you can't use the Lake Formation service-linked role. You must use a custom role and add IAM permissions on the key to the role. Details are provided later in this section.

The following procedures explain how to register an Amazon S3 location that is encrypted with either a customer managed key or an Amazon managed key.

Registering a location encrypted with a customer managed key
Registering a location encrypted with an Amazon managed key

Before You Begin

Review the requirements for the role used to register the location.

To register an Amazon S3 location encrypted with a customer managed key

Note

If the KMS key or Amazon S3 location are not in the same Amazon account as the Data Catalog, follow the instructions in Registering an encrypted Amazon S3 location across Amazon accounts instead.

Open the Amazon KMS console at https://console.amazonaws.cn/kms and log in as an Amazon Identity and Access Management (IAM) administrative user or as a user who can modify the key policy of the KMS key used to encrypt the location.
In the navigation pane, choose Customer managed keys, and then choose the name of the desired KMS key.
On the KMS key details page, choose the Key policy tab, and then do one of the following to add your custom role or the Lake Formation service-linked role as a KMS key user:
- If the default view is showing (with Key administrators, Key deletion, Key users, and Other Amazon accounts sections) – Under the Key users section, add your custom role or the Lake Formation service-linked role AWSServiceRoleForLakeFormationDataAccess.
- If the key policy (JSON) is showing – Edit the policy to add your custom role or the Lake Formation service-linked role AWSServiceRoleForLakeFormationDataAccess to the object "Allow use of the key," as shown in the following example.
  
  Note
  If that object is missing, add it with the permissions shown in the example. The example uses the service-linked role.
```
        ...
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess",
                    "arn:aws:iam::111122223333:user/keyuser"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        ...
```
Open the Amazon Lake Formation console at https://console.amazonaws.cn/lakeformation/. Sign in as the data lake administrator or as a user with the lakeformation:RegisterResource IAM permission.
In the navigation pane, under Register and Ingest, choose Data lake locations.
Choose Register location, and then choose Browse to select an Amazon Simple Storage Service (Amazon S3) path.
(Optional, but strongly recommended) Choose Review location permissions to view a list of all existing resources in the selected Amazon S3 location and their permissions.

Registering the selected location might result in your Lake Formation users gaining access to data already at that location. Viewing this list helps you ensure that existing data remains secure.
For IAM role, choose either the AWSServiceRoleForLakeFormationDataAccess service-linked role (the default) or your custom role that meets the Requirements for roles used to register locations.
Choose Register location.

For more information about the service-linked role, see Service-linked role permissions for Lake Formation.

To register an Amazon S3 location encrypted with an Amazon managed key

Important

If the Amazon S3 location is not in the same Amazon account as the Data Catalog, follow the instructions in Registering an encrypted Amazon S3 location across Amazon accounts instead.

Create an IAM role to use to register the location. Ensure that it meets the requirements listed in Requirements for roles used to register locations.
Add the following inline policy to the role. It grants permissions on the key to the role. The Resource specification must designate the Amazon Resource Name (ARN) of the Amazon managed key. You can obtain the ARN from the Amazon KMS console. To get the correct ARN, ensure that you log in to the Amazon KMS console with the same Amazon account and Region as the Amazon managed key that was used to encrypt the location.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "<Amazon managed key ARN>"
    }
  ]
}
```
Open the Amazon Lake Formation console at https://console.amazonaws.cn/lakeformation/. Sign in as the data lake administrator or as a user with the lakeformation:RegisterResource IAM permission.
In the navigation pane, under Register and Ingest, choose Data lake locations.
Choose Register location, and then choose Browse to select an Amazon S3 path.
(Optional, but strongly recommended) Choose Review location permissions to view a list of all existing resources in the selected Amazon S3 location and their permissions.

Registering the selected location might result in your Lake Formation users gaining access to data already at that location. Viewing this list helps you ensure that existing data remains secure.
For IAM role, choose the role that you created in Step 1.
Choose Register location.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Registering an Amazon S3 location

Registering an Amazon S3 location in another Amazon account