AWS lake-formation medium security documentation change
Summary
Updated recommendation to prefer custom roles over service-linked roles
Security assessment
Security best practice recommendation to use custom roles for better control, addressing potential permission limitations in service-linked roles
Diff
diff --git a/lake-formation/latest/dg/register-encrypted.md b/lake-formation/latest/dg/register-encrypted.md index d6e3ab9ce..f84115a24 100644 --- a//lake-formation/latest/dg/register-encrypted.md +++ b//lake-formation/latest/dg/register-encrypted.md @@ -17 +17 @@ Avoid registering an Amazon S3 bucket that has **Requester pays** enabled. For b -The simplest way to register the location is to use the Lake Formation service-linked role. This role grants the required read/write permissions on the location. You may also use a custom role to register the location, provided that it meets the requirements in [Requirements for roles used to register locations](./registration-role.html). +Lake Formation uses a service-linked role to register your data locations. However, this role has several [limitations](./service-linked-role-limitations.html). Due to these constraints, we recommend creating and using a custom IAM role instead for more flexibility and control. The custom role you create to register the location must meets the requirements specified in [Requirements for roles used to register locations](./registration-role.html).