AWS lake-formation documentation change
Summary
Added 'lakeformation:RegisterResourceWithPrivilegedAccess' permission requirement for S3 table location registration
Security assessment
Clarifies required IAM permissions for resource registration, which relates to access control security practices but does not address a specific vulnerability
Diff
diff --git a/lake-formation/latest/dg/s3tables-catalog-prerequisites.md b/lake-formation/latest/dg/s3tables-catalog-prerequisites.md index a680143d8..2632a5325 100644 --- a/lake-formation/latest/dg/s3tables-catalog-prerequisites.md +++ b/lake-formation/latest/dg/s3tables-catalog-prerequisites.md @@ -25 +25 @@ For detailed instructions on deregistering a data location, see, the [Deregister - 2. When you enable the Amazon S3 tables integration, Lake Formation automatically registers the S3 tables' location. To register the table bucket location with Lake Formation, you need an IAM role/user with `RegisterResource` and `CreateCatalog` permissions. When a non-administrator user with these permissions registers a catalog location, Lake Formation automatically grants them the `DATA_LOCATION_ACCESS` permission for that location allowing the calling principal the permissions to perform all supported Lake Formation operations on the registered data location. + 2. When you enable the Amazon S3 tables integration, Lake Formation automatically registers the S3 tables' location. To register the table bucket location with Lake Formation, you need an IAM role/user with `lakeformation:RegisterResource`, `lakeformation:RegisterResourceWithPrivilegedAccess`, and `lakeformation:CreateCatalog` permissions. When a non-administrator user with these permissions registers a catalog location, Lake Formation automatically grants them the `DATA_LOCATION_ACCESS` permission for that location allowing the calling principal the permissions to perform all supported Lake Formation operations on the registered data location.