Configure Lake Formation Data Catalog settings in the producer account - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure Lake Formation Data Catalog settings in the producer account

Before you start this tutorial, you must have an Amazon Web Services account that you can use to sign in as an administrative user with correct permissions. For more information, see Complete initial Amazon configuration tasks.

The tutorial assumes that you are familiar with IAM. For information about IAM, see the IAM User Guide.

Configure Lake Formation Data Catalog settings in the producer account
Note

In this tutorial, the account that has the source table is called the producer account, and the account that needs access to the source table is called a consumer account.

Lake Formation provides its own permission management model. To maintain backward compatibility with the IAM permission model, the Super permission is granted to the group IAMAllowedPrincipals on all existing Amazon Glue Data Catalog resources by default. Also, Use only IAM access control settings are enabled for new Data Catalog resources. This tutorial uses fine grained access control using Lake Formation permissions and use IAM policies for coarse grained access control. See Methods for fine-grained access control for details. Therefore, before you use an Amazon CloudFormation template for a quick setup, you need to change Lake Formation Data Catalog settings in the producer account.

Important

This setting affects all newly created databases and tables, so we strongly recommend completing this tutorial in a non-production account or in a new account. Also, if you are using a shared account (such as your company’s development account), make sure it does not affect others resources. If you prefer to keep the default security settings, you must complete an extra step when sharing resources to other accounts, in which you revoke the default Super permission from IAMAllowedPrincipals on the database or table. We discuss the details later in this tutorial.

To configure Lake Formation Data Catalog settings in the producer account, complete the following steps:

  1. Sign into the Amazon Web Services Management Console using the producer account as an admin user, or as a user with Lake Formation PutDataLakeSettings API permission.

  2. On the Lake Formation console, in the navigation pane, under Data Catalog, choose Settings.

  3. Deselect Use only IAM access control for new databases and Use only IAM access control for new tables in new databases

    Choose Save.

    Additionally, you can remove CREATE_DATABASE permissions for IAMAllowedPrincipals under Administrative roles and tasks, Database creators. Only then, you can govern who can create a new database through Lake Formation permissions.