AWS lake-formation documentation change
Summary
Updated terminology from 'tag based access control' to 'attribute-based access control' and added new section explaining attribute-based access control (ABAC) with tag-based authorization
Security assessment
The change enhances documentation about access control mechanisms (ABAC) which is a security feature, but there's no evidence of addressing a specific vulnerability. It improves clarity around existing security controls.
Diff
diff --git a/lake-formation/latest/dg/what-is-lake-formation.md b/lake-formation/latest/dg/what-is-lake-formation.md index 277415c51..b887367e2 100644 --- a//lake-formation/latest/dg/what-is-lake-formation.md +++ b//lake-formation/latest/dg/what-is-lake-formation.md @@ -83 +83 @@ Lake Formation hybrid access mode provides the flexibility to selectively enable -Lake Formation provides comprehensive audit logs with CloudTrail to monitor access and show compliance with centrally defined policies. You can audit data access history across analytics and machine learning services that read the data in your data lake via Lake Formation. This lets you see which users or roles have attempted to access what data, with which services, and when. You can access audit logs in the same way you access any other CloudTrail logs using the CloudTrail APIs and console. For more information about CloudTrail logs see [Logging AWS Lake Formation API Calls Using AWS CloudTrail](./logging-using-cloudtrail.html). +Lake Formation provides comprehensive audit logs with CloudTrail to monitor access and show compliance with centrally defined policies. You can audit data access history across analytics and machine learning services that read the data in your data lake via Lake Formation. This lets you see which users or roles have attempted to access what data, with which services, and when. You can access audit logs in the same way you access any other CloudTrail logs using the CloudTrail APIs and console. For more information about CloudTrail logs see [Logging AWS Lake Formation API calls using AWS CloudTrail](./logging-using-cloudtrail.html). @@ -91 +91,5 @@ Lake Formation provides data filters that allow you to restrict access to a comb -Use Lake Formation [ tag based access control](https://docs.aws.amazon.com/lake-formation/latest/dg/tag-based-access-control.html) to manage hundreds or even thousands data permissions by creating custom labels called LF-Tags. You can now define LF-Tags and attach them to databases, tables, or columns. Then, share controlled access across analytic, machine learning (ML), and extract, transform, and load (ETL) services for consumption. LF-Tags make sure that data governance can be scaled easily by replacing the policy definitions of thousands of resources with a few logical tags. Lake Formation provides a text-based search over this metadata, so your users can quickly find the data they need to analyze. +Use Lake Formation [ attribute-based access control](https://docs.aws.amazon.com/lake-formation/latest/dg/tag-based-access-control.html) to manage hundreds or even thousands of data permissions by creating custom labels called LF-Tags. You can now define LF-Tags and attach them to databases, tables, or columns. Then, share controlled access across analytic, machine learning (ML), and extract, transform, and load (ETL) services for consumption. LF-Tags make sure that data governance can be scaled easily by replacing the policy definitions of thousands of resources with a few logical tags. Lake Formation provides a text-based search over this metadata, so your users can quickly find the data they need to analyze. + +###### Attribute-based access control + +Use [ attribute-based access control](https://docs.aws.amazon.com/lake-formation/latest/dg/attribute-based-access-control.html) to grant access on Data Catalog objects. Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. AWS calls these attributes tags. You can use ABAC to grant access to principals within the same account or in another account on the Data Catalog resources. Any IAM principal with matching IAM tag or session tag keys and values gains access to the resource. You must have grantable permissions on the resources to make these grants.