AWS Security ChangesHomeSearch

AWS lake-formation documentation change

Service: lake-formation · 2025-04-18 · Documentation low

File: lake-formation/latest/dg/granting-database-permissions.md

Summary

Updated UI references from 'Grant data lake permissions' to 'Grant permissions', added attribute-based principal selection with tag matching logic, and expanded principal specification options

Security assessment

Added documentation for attribute-based access control using IAM role attributes, which is a security feature enhancement but does not address a specific vulnerability

Diff

diff --git a/lake-formation/latest/dg/granting-database-permissions.md b/lake-formation/latest/dg/granting-database-permissions.md
index 12de3035e..1dd0f4ca3 100644
--- a//lake-formation/latest/dg/granting-database-permissions.md
+++ b//lake-formation/latest/dg/granting-database-permissions.md
@@ -12 +12 @@ Console
-Use the **Grant data lake permissions** page on the Lake Formation console. The page is divided into the following sections:
+Use the **Grant permissions** page on the Lake Formation console. The page is divided into the following sections:
@@ -14 +14 @@ Use the **Grant data lake permissions** page on the Lake Formation console. The
-  * Principals – The IAM users, roles, IAM Identity Center users and groups, SAML users and groups, AWS accounts, organizations, or organizational units to grant permissions.
+  * Principal type – The **Principals** section include the IAM users, roles, IAM Identity Center users and groups, SAML users and groups, AWS accounts, organizations, or organizational units to grant permissions. In the **Principals by attributes** section, you can specify the key and values for the attributes attached to the IAM roles. 
@@ -27 +27 @@ To grant permissions on a database resource link, see [Granting resource link pe
-  1. Open the **Grant data lake permissions** page.
+  1. Open the **Grant permissions** page.
@@ -33 +33 @@ Do one of the following:
-     * In the navigation pane, under **Permissions** , choose **Data lake permissions**. Then choose **Grant**.
+     * In the navigation pane, under **Permissions** , choose **Data permissions**. Then choose **Grant**.
@@ -41 +41 @@ You can grant permissions on a database through its resource link. To do so, on
-  2. Next, in the **Principal type** section, specify principals or grant permissions to principals.
+  2. In the **Principal type** section, specify principals or grant permissions to principals using attributes.
@@ -74,0 +75,7 @@ An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters
+Principals by attributes
+    
+
+Specify the attribute key and value(s). If you choose more than one value, you are creating an attribute expression with an OR operator. This means that if any of the attribute tag values assigned to an IAM role or user match, the role/user gains access permissions on the resource.
+
+Choose the permission scope by specifying if you're granting permissions to principals with matching attributes in the same account or in another account. 
+