AWS Security ChangesHomeSearch

AWS lake-formation medium security documentation change

Service: lake-formation · 2025-07-16 · Security-related medium

File: lake-formation/latest/dg/hybrid-cross-account.md

Summary

Removed detailed Python code example for glue:PutResourcePolicy and added security note about granting minimum permissions

Security assessment

Added explicit guidance to grant minimum permissions required for cross-account access, which directly relates to security best practices for access control. The removal of code example reduces potential for over-permissive policies being copy-pasted.

Diff

diff --git a/lake-formation/latest/dg/hybrid-cross-account.md b/lake-formation/latest/dg/hybrid-cross-account.md
index f06bffa00..f827ec2b3 100644
--- a//lake-formation/latest/dg/hybrid-cross-account.md
+++ b//lake-formation/latest/dg/hybrid-cross-account.md
@@ -25,34 +25 @@ If your account (grantor account or producer account) has made no cross-account
-  * When you save the resource policy using the `glue:PutResourcePolicy` API operation, you must set the `EnableHybrid` field to '`TRUE`' (type = string). The following code example shows how to do this in Python.
-    
-        import boto3
-    import json
-    
-    REGION = 'us-east-2'
-    PRODUCER_ACCOUNT_ID = '123456789012'
-    CONSUMER_ACCOUNT_IDs = ['111122223333']
-    
-    glue = glue_client = boto3.client('glue')
-    
-    policy = {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "Cataloguers",
-                "Effect": "Allow",
-                "Action": [
-                    "glue:*"
-                ],
-                "Principal": {
-                    "AWS": CONSUMER_ACCOUNT_IDs
-                },
-                "Resource": [
-                    f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:catalog",
-                    f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:database/*",
-                    f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:table/*/*"
-                ]
-            }
-        ]
-    }
-    
-    policy = json.dumps(policy)
-    glue.put_resource_policy(PolicyInJson=policy, EnableHybrid='TRUE')
+  * When you save the resource policy using the `glue:PutResourcePolicy` API operation, you must set the `EnableHybrid` field to '`TRUE`' (type = string).
@@ -59,0 +27,5 @@ If your account (grantor account or producer account) has made no cross-account
+To update an existing resource policy, use the `glue:GetResourcePolicy` API operation to retrieve your current policy first, then modify it as needed before calling `glue:PutResourcePolicy`. 
+
+###### Note
+
+When creating AWS Glue resource policies for cross-account access, grant only the minimum permissions required for your specific use case.