IAM permissions required to grant or revoke Lake Formation permissions

All principals, including the data lake administrator, need the following Amazon Identity and Access Management (IAM) permissions to grant or revoke Amazon Lake Formation Data Catalog permissions or data location permissions with the Lake Formation API or the Amazon CLI:

lakeformation:GrantPermissions
lakeformation:BatchGrantPermissions
lakeformation:RevokePermissions
lakeformation:BatchRevokePermissions
glue:GetTable or glue:GetDatabase for a table or database that you're granting permissions using the named resource method.

Note

Data lake administrators have implicit Lake Formation permissions to grant and revoke Lake Formation permissions. But they still need the IAM permissions on the Lake Formation grant and revoke API operations.

IAM roles with AWSLakeFormationDataAdmin Amazon managed policy cannot add new data lake administrators because this policy contains an explicit deny for the Lake Formation API operation, PutDataLakeSetting.

The following IAM policy is recommended for principals who are not data lake administrators and who want to grant or revoke permissions using the Lake Formation console.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:ListPermissions",
                "lakeformation:GrantPermissions",
                "lakeformation:BatchGrantPermissions",
                "lakeformation:RevokePermissions",
                "lakeformation:BatchRevokePermissions",
                "glue:GetDatabases",
                "glue:SearchTables",
                "glue:GetTables",
                "glue:GetDatabase",
                "glue:GetTable",
                "iam:ListUsers",
                "iam:ListRoles",
                "sso-directory:DescribeUser",
                "sso-directory:DescribeGroup",
                "sso:DescribeInstance"
            ],
            "Resource": "*"
        }
    ]
}

All of the glue: and iam: permissions in this policy are available in the Amazon managed policy AWSGlueConsoleFullAccess.

To grant permissions by using Lake Formation tag-based access control (LF-TBAC), principals need additional IAM permissions. For more information, see Lake Formation tag-based access control best practices and considerations and Lake Formation personas and IAM permissions reference.

Cross-account permissions

Users who want to grant cross-account Lake Formation permissions by using the named resource method must also have the permissions in the AWSLakeFormationCrossAccountManager Amazon managed policy.

Data lake administrators need those same permissions for granting cross-account permissions, plus the Amazon Resource Access Manager (Amazon RAM) permission to enable granting permissions to organizations. For more information, see Data lake administrator permissions.

The administrative user

A principal with administrative permissions—for example, with the AdministratorAccess Amazon managed policy—has permissions to grant Lake Formation permissions and create data lake administrators. To deny a user or role access to Lake Formation administrator operations, attach or add into its policy a Deny statement for administrator API operations.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lakeformation:GetDataLakeSettings",
                "lakeformation:PutDataLakeSettings"
            ],
            "Effect": "Deny",
            "Resource": [
                "*"
            ]
        }
    ]
}

Important

To prevent users from adding themselves as an administrator with an extract, transform, and load (ETL) script, make sure that all non-administrator users and roles are denied access to these API operations. The AWSLakeFormationDataAdmin Amazon managed policy contains an explict deny for the Lake Formation API operation, PutDataLakeSetting that prevents users from adding new data lake administrators.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Granting and revoking Data Catalog permissions

Granting data lake permissions using the named resource method