Amazon service integrations with Lake Formation - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon service integrations with Lake Formation

You can use Lake Formation to manage database, table, and column-level access permissions on data stored in Amazon S3. After your data is registered with Lake Formation, you can use Amazon analytical services like Amazon Glue, Amazon Athena, Amazon Redshift Spectrum, Amazon EMR to query the data. The following Amazon services integrate with Amazon Lake Formation and honor Lake Formation permissions.

Amazon Service Integration details
Amazon Glue

Reference topic: Using Amazon Lake Formation with Amazon Glue

Amazon Glue and Lake Formation share the same Data Catalog. For console operations (such as viewing a list of tables) and all API operations, Amazon Glue users can access only the databases and tables on which they have Lake Formation permissions.

Amazon Athena

Reference topic: Using Amazon Lake Formation with Amazon Athena

Use Lake Formation to allow or deny permissions to read data in Amazon S3. When Amazon Athena users select the Amazon Glue catalog in the query editor, they can query only the databases, tables, and columns that they have Lake Formation permissions on. Queries using manifests are not supported.

Currently, Lake Formation doesn't support managing permissions on write operations such as VACUUM, MERGE, UPDATE and OPTIMIZE on tables in Open Table Formats.

In addition to principals who authenticate with Athena through Amazon Identity and Access Management (IAM), Lake Formation supports Athena users who connect through the JDBC or ODBC driver and authenticate through SAML. Supported SAML providers include Okta and Microsoft Active Directory Federation Service (AD FS).

Amazon Redshift Spectrum

Reference topic: Using Amazon Lake Formation with Amazon Redshift Spectrum

When Amazon Redshift users create an external schema on a database in the Amazon Glue Data Catalog, they can query only the tables and columns in that schema on which they have Lake Formation permissions.

Amazon QuickSight Enterprise Edition

Reference: Using Amazon Lake Formation with Amazon QuickSight

When an Amazon QuickSight Enterprise Edition user queries a dataset in an Amazon S3 location, the user must have the Lake Formation SELECT permission on the data.

Amazon EMR

Reference: Using Amazon Lake Formation with Amazon EMR

You can integrate Lake Formation permissions when you create an Amazon EMR cluster with a runtime role.

A runtime role is an IAM role that you associate with Amazon EMR jobs or queries, and then Amazon EMR uses this role to access Amazon resources.

Lake Formation also works with Amazon Key Management Service (Amazon KMS) to enable you to more easily set up these integrated services to encrypt and decrypt data in Amazon Simple Storage Service (Amazon S3) locations.