AWS Security ChangesHomeSearch

AWS lake-formation documentation change

Service: lake-formation · 2025-04-18 · Documentation medium

File: lake-formation/latest/dg/granting-catalog-permissions.md

Summary

Updated permissions documentation with ABAC implications and explicit DESCRIBE requirements

Security assessment

Clarifies security controls around ABAC and cross-account permissions, but doesn't reference a specific vulnerability. Enhances security documentation without addressing a known issue.

Diff

diff --git a/lake-formation/latest/dg/granting-catalog-permissions.md b/lake-formation/latest/dg/granting-catalog-permissions.md
index c933bd058..b38c5c1fa 100644
--- a//lake-formation/latest/dg/granting-catalog-permissions.md
+++ b//lake-formation/latest/dg/granting-catalog-permissions.md
@@ -7 +7 @@
-You can grant **Data lake permissions** to principals in AWS Lake Formation so that the principals can create and manage Data Catalog resources, and can access underlying data. You can grant **Data lake permissions** on catalogs, databases, tables, and views. When you grant permissions on tables, you can limit access to specific table columns or rows for even more fine-grained access control.
+You can grant **Data permissions** to principals in AWS Lake Formation so that the principals can create and manage Data Catalog resources, and can access underlying data. You can grant **Data lake permissions** on catalogs, databases, tables, and views. When you grant permissions on tables, you can limit access to specific table columns or rows for even more fine-grained access control.
@@ -9 +9 @@ You can grant **Data lake permissions** to principals in AWS Lake Formation so t
-You can grant permissions on individual tables and views, or with a single grant operation, you can grant permissions on all tables and views in a database. If you grant permissions on all tables in a database, you are implicitly granting the `DESCRIBE` permission on the database. The database then appears on the **Databases** page on the console, and is returned by the `GetDatabases` API operation. The same principle applies at the catalog level - when you receive permissions for databases within a catalog, you also get `DESCRIBE` permissions for that catalog.
+You can grant permissions on individual catalogs, databases, tables and views, or with a single grant operation, you can grant permissions on all databases, tables and views in a catalog or a database. If you grant permissions on all tables in a database to IAM principals, you are implicitly granting the `DESCRIBE` permission on the database. The database then appears on the **Databases** page on the console, and is returned by the `GetDatabases` API operation. The same principle applies at the catalog level - when you receive permissions for databases within a catalog, you also get `DESCRIBE` permissions for that catalog.
@@ -13 +13 @@ You can grant permissions on individual tables and views, or with a single grant
-The implicit `DESCRIBE` permission applies only when granting permissions within the same AWS account. For cross-account resources, you must explicitly grant `DESCRIBE` permissions.
+The implicit `DESCRIBE` permission applies only when granting permissions to IAM principals within the same AWS account. For cross-account resources, you must explicitly grant `DESCRIBE` permissions. The automatic `DESCRIBE` permission grant doesn't apply when using attribute-based access control (ABAC). When granting permissions on all tables in a database using attributes, Lake Formation doesn't implicitly grant `DESCRIBE` permission to the database.