Step 2: Register your data location, create an LF-Tag ontology, and grant permissions

In this step, the data steward user defines the tag ontology with two LF-Tags: Confidential and Sensitive, and gives specific IAM principals the ability to attach newly created LF-Tags to resources.

Register a data location and define LF-Tag ontology

Perform the first step as the data steward user (lf-data-steward) to verify the data in Amazon S3 and the Data Catalog in Lake Formation.
1. Sign in to the Lake Formation console at https://console.amazonaws.cn/lakeformation/ as lf-data-steward with the password used while deploying the Amazon CloudFormation stack.
2. In the navigation pane, under Permissions¸ choose Administrative roles and tasks.
3. Choose Add in the Data lake administrators section.
4. On the Add administrator page, for IAM users and roles, choose the user lf-data-steward.
5. Choose Save to add lf-data-steward as a Lake Formation administrator.
Next, update the Data Catalog settings to use Lake Formation permission to control catalog resources instead of IAM based access control.
1. In the navigation pane, under Administration, choose Data Catalog settings.
2. Uncheck Use only IAM access control for new databases.
3. Uncheck Use only IAM access control for new tables in new databases.
4. Click Save.
Next, register the data location for the data lake.
1. In the navigation pane, under Administration, choose Data lake locations.
2. Choose Register location.
3. On the Register location page, for Amazon S3 path, enter s3://lf-tagbased-demo-Account-ID.
4. For IAM role¸ leave the default value AWSServiceRoleForLakeFormationDataAccess as it is.
5. Choose Lake Formation as the permission mode.
6. Choose Register location.
Next, create the ontology by defining an LF-tag.
1. Under Permissions in the navigation pane, choose LF-Tags and permissions..
2. Choose Add LF-Tag.
3. For Key, enter Confidential.
4. For Values, add True and False.
5. Choose Add LF-tag.
6. Repeat the steps to create the LF-Tag Sensitive with the value True.
You have created all the necessary LF-Tags for this exercise.

Grant permissions to IAM users

Next, give specific IAM principals the ability to attach newly created LF-tags to resources.
1. Under Permissions in the navigation pane, choose LF-Tags and permissions.
2. In the LF-Tag permissions section, choose Grant permissions.
3. For Permission type, choose LF-Tag key-value pair permissions.
4. Select IAM users and roles.
5. For IAM users and roles, search for and choose the lf-data-engineer role.
6. In the LF-Tags section, add the key Confidential with values True and False, and the key Sensitive with value True.
7. Under Permissions, select Describe and Associate for Permissions and Grantable permissions.
8. Choose Grant.
Next, grant permissions to lf-data-engineer to create databases in our Data Catalog and on the underlying Amazon S3 bucket created by Amazon CloudFormation.
1. Under Administration in the navigation pane, choose Administrative roles and tasks.
2. In the Database creators section, choose Grant.
3. For IAM users and roles, choose the lf-data-engineer role.
4. For Catalog permissions, select Create database.
5. Choose Grant.
Next, grant permissions on the Amazon S3 bucket (s3://lf-tagbased-demo-Account-ID) to the lf-data-engineer user.
1. In the navigation pane, under Permissions, choose Data locations.
2. Choose Grant.
3. Select My account.
4. For IAM users and roles, choose the lf-data-engineer role.
5. For Storage locations, enter the Amazon S3 bucket created by the Amazon CloudFormation template (s3://lf-tagbased-demo-Account-ID).
6. Choose Grant.
Next, grant lf-data-engineer grantable permissions on resources associated with the LF-Tag expression Confidential=True.
1. In the navigation pane, under Permissions, choose Data lake permissions.
2. Choose Grant.
3. Select IAM users and roles.
4. Choose the role lf-data-engineer.
5. In the LF-Tags or catalog resources section, select Resources matched by LF-Tags.
6. Choose Add LF-Tag key-value pair.
7. Add the key Confidential with the values True.
8. In the Database permissions section, select Describe for Database permissions and Grantable permissions.
9. In the Table permissions section, select Describe, Select, and Alter for both Table permissions and Grantable permissions.
10. Choose Grant.
Next, grant lf-data-engineer grantable permissions on resources associated with the LF-Tag expression Confidential=False.
1. In the navigation pane, under Permissions, choose Data lake permissions.
2. Choose Grant.
3. Select IAM users and roles.
4. Choose the role lf-data-engineer.
5. Select Resources matched by LF-tags.
6. Choose Add LF-tag.
7. Add the key Confidential with the value False.
8. In the Database permissions section, select Describe for Database permissions and Grantable permissions.
9. In the Table and column permissions section, do not select anything.
10. Choose Grant.
Next, we grant lf-data-engineer grantable permissions on resources associated with the LF-Tag key-value pairs Confidential=False and Sensitive=True.
1. In the navigation pane, under Permissions, choose Data permissions.
2. Choose Grant.
3. Select IAM users and roles.
4. Choose the role lf-data-engineer.
5. Under LF-Tags or catalog resources section, select Resources matched by LF-Tags.
6. Choose Add LF-Tag.
7. Add the key Confidential with the value False.
8. Choose Add LF-Tag key-value pair.
9. Add the key Sensitive with the value True.
10. In the Database permissions section, select Describe for Database permissions and Grantable permissions.
11. In the Table permissions section, select Describe, Select, and Alter for both Table permissions and Grantable permissions.
12. Choose Grant.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Step 1: Provision your resources

Step 3: Create Lake Formation databases