AWS Security ChangesHomeSearch

AWS lake-formation documentation change

Service: lake-formation · 2025-03-10 · Documentation low

File: lake-formation/latest/dg/granting-catalog-permissions.md

Summary

Added catalog-level permissions, clarified cross-account DESCRIBE requirements, updated terminology from 'resources' to 'objects'

Security assessment

Added explicit documentation about cross-account permission requirements (DESCRIBE must be explicitly granted) which enhances security documentation, but no evidence of addressing a specific security vulnerability

Diff

diff --git a/lake-formation/latest/dg/granting-catalog-permissions.md
index eecdc9422..c933bd058 100644
--- a/lake-formation/latest/dg/granting-catalog-permissions.md
+++ b/lake-formation/latest/dg/granting-catalog-permissions.md
@@ -7 +7 @@
-You can grant **Data lake permissions** to principals in AWS Lake Formation so that the principals can create and manage Data Catalog resources, and can access underlying data. You can grant **Data lake permissions** on databases, tables, and views. When you grant permissions on tables, you can limit access to specific table columns or rows for even more fine-grained access control.
+You can grant **Data lake permissions** to principals in AWS Lake Formation so that the principals can create and manage Data Catalog resources, and can access underlying data. You can grant **Data lake permissions** on catalogs, databases, tables, and views. When you grant permissions on tables, you can limit access to specific table columns or rows for even more fine-grained access control.
@@ -9 +9,5 @@ You can grant **Data lake permissions** to principals in AWS Lake Formation so t
-You can grant permissions on individual tables and views, or with a single grant operation, you can grant permissions on all tables and views in a database. If you grant permissions on all tables in a database, you are implicitly granting the `DESCRIBE` permission on the database. The database then appears on the **Databases** page on the console, and is returned by the `GetDatabases` API operation.
+You can grant permissions on individual tables and views, or with a single grant operation, you can grant permissions on all tables and views in a database. If you grant permissions on all tables in a database, you are implicitly granting the `DESCRIBE` permission on the database. The database then appears on the **Databases** page on the console, and is returned by the `GetDatabases` API operation. The same principle applies at the catalog level - when you receive permissions for databases within a catalog, you also get `DESCRIBE` permissions for that catalog.
+
+###### Important
+
+The implicit `DESCRIBE` permission applies only when granting permissions within the same AWS account. For cross-account resources, you must explicitly grant `DESCRIBE` permissions.
@@ -13 +17 @@ You can grant permissions by using either the named resource method or the Lake
-You can grant permissions to principals in the same AWS account or to external accounts or organizations. When you grant to external accounts or organizations, you are sharing resources that you own with those accounts or organizations. Principals in those accounts or organizations can then access Data Catalog resources that you own and the underlying data.
+You can grant permissions to principals in the same AWS account or to external accounts or organizations. When you grant to external accounts or organizations, you are sharing Data Catalog objects that you own with those accounts or organizations. Principals in those accounts or organizations can then access Data Catalog objects that you own and the underlying data.
@@ -19 +23 @@ Currently, the LF-TBAC method supports granting cross-account permissions to IAM
-When you grant permissions to external accounts or organizations, you must include the grant option. Only the data lake administrator in the external account can access the shared resources until the administrator grants permissions on the shared resources to other principals in the external account.
+When you grant permissions to external accounts or organizations, you must include the grant option. Only the data lake administrator in the external account can access the shared objects until the administrator grants permissions on the shared objects to other principals in the external account.
@@ -25 +29 @@ You can grant Data Catalog permissions by using the AWS Lake Formation console,
-When you delete a Data Catalog resource, all permissions that are associated with the resource become invalid. Recreating the same resource with the same name, will not recover Lake Formation permissions. Users will have to setup new permissions again.
+When you delete a Data Catalog object, all permissions that are associated with the object become invalid. Recreating the same resource with the same name, will not recover Lake Formation permissions. Users will have to setup new permissions again.