Service-linked role limitations

A service-linked role is a special type of IAM role that's linked directly to Amazon Lake Formation. This role has pre-defined permissions that allow Lake Formation to perform actions on your behalf across Amazon services.

The following limitations apply when using a service-linked role (SLR) to register data locations with Lake Formation.

You can't modify service-linked role policies once created.
A service linked role doesn't support encrypted catalog resources sharing across accounts. Encrypted resources require specific Amazon KMS key permissions. Service-linked roles have pre-defined permissions that don't include the ability to work with encrypted catalog resources across accounts.
When registering multiple Amazon S3 locations, using service-linked role may cause you to exceed your IAM policy limits quickly. This happens because with service-linked roles, Amazon writes the policy for you, and it increments as one large block that includes all your registrations. You can write customer-managed policies more efficiently, distribute permissions across multiple policies, or use different roles for different Regions.
Amazon EMR on EC2 can't access data you register data locations with service-linked roles.
Service-linked role operations bypass your Amazon service control policies.
When you register data locations with a service-linked role, it updates IAM policies with eventual consistency. For more information, see the the Troubleshoot IAM documentation in the IAM User Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Cross-account data sharing best practices and considerations

Cross-Region data access limitations