AWS lake-formation medium security documentation change
Summary
Added limitation about SET_CONTEXT usage with service-linked roles and IAM Identity Center
Security assessment
Documents security-related limitation in auditing capabilities when using service-linked roles with IAM Identity Center, which impacts security visibility
Diff
diff --git a/lake-formation/latest/dg/service-linked-role-limitations.md b/lake-formation/latest/dg/service-linked-role-limitations.md index 4f9f1c602..2434c4edc 100644 --- a//lake-formation/latest/dg/service-linked-role-limitations.md +++ b//lake-formation/latest/dg/service-linked-role-limitations.md @@ -22,0 +23,2 @@ The following limitations apply when using a service-linked role (SLR) to regist + * You can't set `SET_CONTEXT = TRUE` in Lake Formation data lake settings when using service-linked roles, and you are using IAM Identity Center. The reason is that service-linked roles have immutable trust policies that are incompatible with the trusted identity propagation needed for `SetContext` auditing with IAM Identity Center principals. +