Sharing a data lake using Lake Formation tag-based access control and named resources
This tutorial demonstrates how you can configure Amazon Lake Formation to securely share data stored within a data lake with multiple companies, organizations, or business units, without having to copy the entire database. There are two options to share your databases and tables with another Amazon Web Services account by using Lake Formation cross-account access control:
Lake Formation tag-based access control (recommended)
Lake Formation tag-based access control is an authorization strategy that defines permissions based on attributes. In Lake Formation, these attributes are called LF-Tags. For more details, refer to Managing a data lake using Lake Formation tag-based access control.
Lake Formation named resources
The Lake Formation named resource method is an authorization strategy that defines permissions for resources. Resources include databases, tables, and columns. Data lake administrators can assign and revoke permissions on Lake Formation resources. For more details, refer to Cross-account data sharing in Lake Formation.
We recommend using named resources if the data lake administrator prefers granting permissions explicitly to individual resources. When you use the named resource method to grant Lake Formation permissions on a Data Catalog resource to an external account, Lake Formation uses Amazon Resource Access Manager (Amazon RAM) to share the resource.
Topics
- Intended audience
- Configure Lake Formation Data Catalog settings in the producer account
- Step 1: Provision your resources using Amazon CloudFormation templates
- Step 2: Lake Formation cross-account sharing prerequisites
- Step 3: Implement cross-account sharing using the tag-based access control method
- Step 4: Implement the named resource method
- Step 5: Clean up Amazon resources