AWS Security ChangesHomeSearch

AWS lake-formation medium security documentation change

Service: lake-formation · 2025-05-22 · Security-related medium

File: lake-formation/latest/dg/register-encrypted.md

Summary

Updated recommendation to prefer custom roles over service-linked roles

Security assessment

Security best practice recommendation to use custom roles for better control, addressing potential permission limitations in service-linked roles

Diff

diff --git a/lake-formation/latest/dg/register-encrypted.md b/lake-formation/latest/dg/register-encrypted.md
index d6e3ab9ce..f84115a24 100644
--- a//lake-formation/latest/dg/register-encrypted.md
+++ b//lake-formation/latest/dg/register-encrypted.md
@@ -17 +17 @@ Avoid registering an Amazon S3 bucket that has **Requester pays** enabled. For b
-The simplest way to register the location is to use the Lake Formation service-linked role. This role grants the required read/write permissions on the location. You may also use a custom role to register the location, provided that it meets the requirements in [Requirements for roles used to register locations](./registration-role.html).
+Lake Formation uses a service-linked role to register your data locations. However, this role has several [limitations](./service-linked-role-limitations.html). Due to these constraints, we recommend creating and using a custom IAM role instead for more flexibility and control. The custom role you create to register the location must meets the requirements specified in [Requirements for roles used to register locations](./registration-role.html).