Working with other Amazon services - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with other Amazon services

Amazon services such as Amazon Athena, Amazon Glue, Amazon Redshift Spectrum, and Amazon EMR can use Amazon Lake Formation to securely access data in Amazon S3 locations registered with Lake Formation. With Lake Formation, you can define and manage fine-grained access control (FGAC) permissions for your tables in the Amazon Glue Data Catalog. Each of these Amazon services is a trusted caller to Lake Formation, and Lake Formation provides access to data stored in Amazon S3 through temporary credentials. For more information, see How Lake Formation application integration works.

To avail these capabilities, Lake Formation requires you to first register the Amazon S3 location, and assign appropriate permissions to the IAM principal for accessing the table, the database, and the Amazon S3 location. For more information see, Managing Lake Formation permissions.

The following tables lists the types of Lake Formation permissions supported by Amazon Athena, Amazon Glue, Amazon EMR, and Amazon Redshift Spectrum to access data from Amazon Glue standard tables and transactional tables (Apache Iceberg, Apache Hudi, and Linux foundation Delta Lake) with data stored in Amazon S3 and table metadata in the Data Catalog .

Amazon services and supported permission types for Amazon Glue standard tables and views
Amazon service Table-level permissions Column-level permissions Row and cell-level permissions
Athena SQL

Read/write access

 Read access Read access
Athena Spark

Not supported

 Not supported

Not supported

Redshift Spectrum on a provisioned cluster or Amazon Redshift serverless

 Read/write access Read access Read access

Apache Spark on Amazon EMR (EC2)

 Read/write access Read access Read access
Apache Hive on Amazon EMR (EC2) Read/write access Read access Not supported
Apache Spark on EMR Serverless Read/write access Read access Read access
Apache Hive on EMR Serverless Not supported Not supported Not supported
Amazon EMR on EKS Not supported Not supported Not supported
Amazon Glue ETL Read/write access Not supported Not supported
Considerations and limitations

  • Athena Spark doesn't support querying Data Catalog tables with Lake Formation permissions.

  • Athena SAML-based users can read data sources secured using Lake Formation permissions by enabling SAML 2.0-based federation. SAML users can insert data into Parquet tables.

  • Apache Spark on EMR Serverless doesn't support querying Data Catalog views.

  • Apache Hive on EMR Serverless doesn't support querying tables with Lake Formation permissions.

  • Amazon Glue ETL requires full access to the entire table while fetching data from underlying Amazon S3 location. Amazon Glue ETL job fails if you apply column-level permissions on a table.

Amazon services and supported permission types for transactional table formats
Amazon service Iceberg Hudi Delta Lake (native) Delta Lake (symlink tables)

Athena SQL

Supports reading tables with table, column, row, and cell-level permissions. Write operations require full table access.

Supports read and create operations on tables with table, column, row, and cell-level permissions. Write operations are not supported.

Athena (engine version 3) supports reading native Delta Lake tables with table, column, row, and cell-level permissions. Write operations are not supported.

Athena (engine version 3) supports reading symlink Delta Lake tables with table, column, row, and cell-level permissions. Write operations are not supported.

Redshift Spectrum on a provisioned cluster

Supports reading tables with table, column, row, and cell-level permissions. Write operations are not supported.

Supports reading tables with table, column, row, and cell-level permissions. Write operations are not supported.

 No supported Supports reading Delta Lake tables via symlink manifest with table, column, row, and cell-level permissions. Write operations are not supported.
Apache Spark on Amazon EMR (EC2) Supports reading tables with table, column, row, and cell-level permissions. Write operations require full table access. Supports reading tables with table, column, row, and cell-level permissions. Write operations require full table access.

Supports reading tables with table, column, row, and cell-level permissions. Write operations are not supported.

 Supports reading tables with table, column, row, and cell-level permissions. Write operations require full table access.
Amazon Glue ETL Supports read/write on tables with table-level permissions. Supports read/write on tables with table-level permissions. Supports read/write on tables with table-level permissions. Supports read/write on tables with table-level permissions.
Topics