AWS lake-formation documentation change
Summary
Added explicit IAM policy example for lakeformation:GetDataAccess permission
Security assessment
Improves security documentation by providing concrete IAM policy example, but does not indicate resolution of a specific security vulnerability
Diff
diff --git a/lake-formation/latest/dg/access-control-underlying-data.md b/lake-formation/latest/dg/access-control-underlying-data.md index bba89ca2f..2d2d47b57 100644 --- a//lake-formation/latest/dg/access-control-underlying-data.md +++ b//lake-formation/latest/dg/access-control-underlying-data.md @@ -70 +70 @@ Avoid registering an Amazon S3 bucket that has **Requester pays** enabled. For b -For read/write access to underlying data, in addition to Lake Formation permissions, principals also need the following IAM permission: +For read/write access to underlying data, in addition to Lake Formation permissions, principals also need the `lakeformation:GetDataAccess` IAM permission. With this permission, Lake Formation grants the request for temporary credentials to access the data. @@ -72 +71,0 @@ For read/write access to underlying data, in addition to Lake Formation permissi -`lakeformation:GetDataAccess` @@ -74 +73,12 @@ For read/write access to underlying data, in addition to Lake Formation permissi -With this permission, Lake Formation grants the request for temporary credentials to access the data. + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "lakeformation:GetDataAccess", + "Resource": "*" + } + ] + } + +In the above policy, you must set the Resource parameter to '*' (all. Specifying any other resource for this permission is not supported. This configuration ensures that Lake Formation can manage data access across your entire data lake environment efficiently.