AWS Security ChangesHomeSearch

AWS lake-formation high security documentation change

Service: lake-formation · 2025-05-28 · Security-related high

File: lake-formation/latest/dg/permitting-third-party-call.md

Summary

Added validation requiring non-empty ExternalDataFilteringAllowList when AllowExternalDataFiltering is enabled

Security assessment

The change prevents misconfigurations by requiring at least one account ID in the allow list when third-party data filtering is enabled. An empty list could have previously allowed unintended access to unfiltered metadata and credentials. This directly addresses an authorization control weakness by enforcing positive security controls.

Diff

diff --git a/lake-formation/latest/dg/permitting-third-party-call.md b/lake-formation/latest/dg/permitting-third-party-call.md
index acf25bfb3..c09c6ad28 100644
--- a//lake-formation/latest/dg/permitting-third-party-call.md
+++ b//lake-formation/latest/dg/permitting-third-party-call.md
@@ -40 +40 @@ There are three fields to configure when using this AWS CLI command:
-  * `external-data-filtering-allow-list` – (array) A list of account IDs that can access unfiltered metadata information and data access credentials of resources in the current account when using a third-party engine.
+  * `external-data-filtering-allow-list` – (array) A list of account IDs that can access unfiltered metadata information and data access credentials of resources in the current account when using a third-party engine. When AllowExternalDataFiltering is set to true, the ExternalDataFilteringAllowList property must include at least one account ID. An empty list is not allowed.