AWS Security ChangesHomeSearch

AWS lake-formation documentation change

Service: lake-formation · 2025-05-01 · Documentation low

File: lake-formation/latest/dg/cross-account-permissions.md

Summary

Updated cross-account permissions documentation to clarify visibility of direct grants

Security assessment

Clarifies that only grant recipients can view direct cross-account permissions, improving documentation accuracy but not addressing an active security issue.

Diff

diff --git a/lake-formation/latest/dg/cross-account-permissions.md b/lake-formation/latest/dg/cross-account-permissions.md
index 650a65843..e2af58854 100644
--- a//lake-formation/latest/dg/cross-account-permissions.md
+++ b//lake-formation/latest/dg/cross-account-permissions.md
@@ -17 +17 @@ For more information, see [Hybrid access mode](./hybrid-access-mode.html).
-Authorized principals can share resources explicitly with an IAM principal in an external account. This feature is useful when an account owner wants to have control over who in the external account can access the resources. The permissions the IAM principal receives will be a union of direct grants and the account level grants that is cascaded down to the principals. The data lake administrator of the recipient account can view the direct cross-account grants, but cannot revoke permissions. The principal who receives the resource share cannot share the resource with other principals.
+Authorized principals can share resources explicitly with an IAM principal in an external account. This feature is useful when an account owner wants to have control over who in the external account can access the resources. The permissions the IAM principal receives will be a union of direct grants and the account level grants that is cascaded down to the principals. Only the recipient of the permission grant can view the direct cross-account grants. The principal who receives the resource share cannot share the resource with other principals.