AWS lake-formation medium security documentation change
Summary
Added clarification about administrator permissions requiring explicit grants for pre-existing databases
Security assessment
The change explicitly documents that administrators added after database creation don't automatically get data access permissions (SELECT/DESCRIBE), requiring explicit grants. This addresses potential privilege escalation risks where administrators might assume automatic access to historical resources. The clarification prevents unintended access gaps and enforces least privilege principles.
Diff
diff --git a/lake-formation/latest/dg/permissions-reference.md b/lake-formation/latest/dg/permissions-reference.md index 2e8bc17bc..45733456d 100644 --- a//lake-formation/latest/dg/permissions-reference.md +++ b//lake-formation/latest/dg/permissions-reference.md @@ -23,0 +24,4 @@ Workflow role | (Required) Role that runs a workflow on behalf of a user. You sp +###### Note + +In Lake Formation, data lake administrators added after database creation can grant permissions but don't automatically have data access permissions such as SELECT or DESCRIBE. Administrators who create databases receive `SUPER` permissions on those databases. This behavior is intentional—while all administrators can grant themselves necessary permissions, these permissions aren't automatically applied to pre-existing resources. Therefore, administrators must explicitly grant themselves access to databases that existed before they were assigned admin privileges. +