Step 2: Register your data location, create an LF-Tag ontology, and grant permissions
In this step, the data steward user defines the tag ontology with two LF-Tags:
Confidential
and Sensitive
, and gives specific IAM principals
the ability to attach newly created LF-Tags to resources.
Register a data location and define LF-Tag ontology
Perform the first step as the data steward user (
lf-data-steward
) to verify the data in Amazon S3 and the Data Catalog in Lake Formation.Sign in to the Lake Formation console at https://console.amazonaws.cn/lakeformation/
as lf-data-steward
with the password used while deploying the Amazon CloudFormation stack.In the navigation pane, under Permissions¸ choose Administrative roles and tasks.
Choose Add in the Data lake administrators section.
On the Add administrator page, for IAM users and roles, choose the user
lf-data-steward
.Choose Save to add
lf-data-steward
as a Lake Formation administrator.
-
Next, update the Data Catalog settings to use Lake Formation permission to control catalog resources instead of IAM based access control.
In the navigation pane, under Administration, choose Data Catalog settings.
Uncheck Use only IAM access control for new databases.
Uncheck Use only IAM access control for new tables in new databases.
Click Save.
Next, register the data location for the data lake.
In the navigation pane, under Administration, choose Data lake locations.
Choose Register location.
On the Register location page, for Amazon S3 path, enter
s3://lf-tagbased-demo-
.Account-ID
For IAM role¸ leave the default value
AWSServiceRoleForLakeFormationDataAccess
as it is.Choose Lake Formation as the permission mode.
Choose Register location.
-
Next, create the ontology by defining an LF-tag.
Under Permissions in the navigation pane, choose LF-Tags and permissions..
Choose Add LF-Tag.
For Key, enter
Confidential
.For Values, add
True
andFalse
.Choose Add LF-tag.
-
Repeat the steps to create the LF-Tag
Sensitive
with the valueTrue
.
You have created all the necessary LF-Tags for this exercise.
Grant permissions to IAM users
-
Next, give specific IAM principals the ability to attach newly created LF-tags to resources.
Under Permissions in the navigation pane, choose LF-Tags and permissions.
In the LF-Tag permissions section, choose Grant permissions.
For Permission type, choose LF-Tag key-value pair permissions.
Select IAM users and roles.
For IAM users and roles, search for and choose the
lf-data-engineer
role.In the LF-Tags section, add the key
Confidential
with valuesTrue
andFalse
, and thekey
Sensitive
with valueTrue
.Under Permissions, select Describe and Associate for Permissions and Grantable permissions.
Choose Grant.
-
Next, grant permissions to
lf-data-engineer
to create databases in our Data Catalog and on the underlying Amazon S3 bucket created by Amazon CloudFormation.Under Administration in the navigation pane, choose Administrative roles and tasks.
In the Database creators section, choose Grant.
For IAM users and roles, choose the
lf-data-engineer
role.For Catalog permissions, select Create database.
Choose Grant.
-
Next, grant permissions on the Amazon S3 bucket
(s3://lf-tagbased-demo-
to theAccount-ID
)lf-data-engineer
user.In the navigation pane, under Permissions, choose Data locations.
Choose Grant.
Select My account.
For IAM users and roles, choose the
lf-data-engineer
role.For Storage locations, enter the Amazon S3 bucket created by the Amazon CloudFormation template
(s3://lf-tagbased-demo-
.Account-ID
)Choose Grant.
-
Next, grant
lf-data-engineer
grantable permissions on resources associated with the LF-Tag expressionConfidential=True
.In the navigation pane, under Permissions, choose Data lake permissions.
Choose Grant.
Select IAM users and roles.
Choose the role
lf-data-engineer
.In the LF-Tags or catalog resources section, select Resources matched by LF-Tags.
Choose Add LF-Tag key-value pair.
Add the key
Confidential
with the valuesTrue
.In the Database permissions section, select Describe for Database permissions and Grantable permissions.
In the Table permissions section, select Describe, Select, and Alter for both Table permissions and Grantable permissions.
Choose Grant.
-
Next, grant
lf-data-engineer
grantable permissions on resources associated with the LF-Tag expressionConfidential=False
.In the navigation pane, under Permissions, choose Data lake permissions.
Choose Grant.
Select IAM users and roles.
Choose the role
lf-data-engineer
.Select Resources matched by LF-tags.
Choose Add LF-tag.
Add the key
Confidential
with the valueFalse
.In the Database permissions section, select Describe for Database permissions and Grantable permissions.
In the Table and column permissions section, do not select anything.
Choose Grant.
-
Next, we grant
lf-data-engineer
grantable permissions on resources associated with the LF-Tag key-value pairsConfidential=False
andSensitive=True
.In the navigation pane, under Permissions, choose Data permissions.
Choose Grant.
Select IAM users and roles.
Choose the role
lf-data-engineer
.Under LF-Tags or catalog resources section, select Resources matched by LF-Tags.
Choose Add LF-Tag.
Add the key
Confidential
with the valueFalse
.Choose Add LF-Tag key-value pair.
Add the key
Sensitive
with the valueTrue
.In the Database permissions section, select Describe for Database permissions and Grantable permissions.
In the Table permissions section, select Describe, Select, and Alter for both Table permissions and Grantable permissions.
Choose Grant.