AWS lake-formation documentation change
Summary
Updated cross-account permissions documentation to clarify visibility of direct grants
Security assessment
Clarifies that only grant recipients can view direct cross-account permissions, improving documentation accuracy but not addressing an active security issue.
Diff
diff --git a/lake-formation/latest/dg/cross-account-permissions.md b/lake-formation/latest/dg/cross-account-permissions.md index 650a65843..e2af58854 100644 --- a//lake-formation/latest/dg/cross-account-permissions.md +++ b//lake-formation/latest/dg/cross-account-permissions.md @@ -17 +17 @@ For more information, see [Hybrid access mode](./hybrid-access-mode.html). -Authorized principals can share resources explicitly with an IAM principal in an external account. This feature is useful when an account owner wants to have control over who in the external account can access the resources. The permissions the IAM principal receives will be a union of direct grants and the account level grants that is cascaded down to the principals. The data lake administrator of the recipient account can view the direct cross-account grants, but cannot revoke permissions. The principal who receives the resource share cannot share the resource with other principals. +Authorized principals can share resources explicitly with an IAM principal in an external account. This feature is useful when an account owner wants to have control over who in the external account can access the resources. The permissions the IAM principal receives will be a union of direct grants and the account level grants that is cascaded down to the principals. Only the recipient of the permission grant can view the direct cross-account grants. The principal who receives the resource share cannot share the resource with other principals.