AWS lake-formation documentation change
Summary
Added detailed IAM policy JSON examples for S3, Lambda, and Glue permissions required for data source connectivity
Security assessment
The change adds explicit IAM policy examples which help users configure least-privilege permissions. While security-related documentation, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/lake-formation/latest/dg/connect-data-source-prerequisites.md b/lake-formation/latest/dg/connect-data-source-prerequisites.md index a721ae068..58cc80817 100644 --- a//lake-formation/latest/dg/connect-data-source-prerequisites.md +++ b//lake-formation/latest/dg/connect-data-source-prerequisites.md @@ -28,0 +29,36 @@ The role must have `Select` or `Describe` permissions on the Amazon S3 bucket an +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::amzn-s3-demo-bucket1/object/*", + "arn:aws:s3:::amzn-s3-demo-bucket1/object" + ] + }, + { + "Sid": "lambdainvoke", + "Effect": "Allow", + "Action": "lambda:InvokeFunction", + "Resource": "arn:aws:lambda:us-east-1:123456789012:function:example-lambda-function" + }, + { + "Sid": "gluepolicy", + "Effect": "Allow", + "Action": "glue:*", + "Resource": "*" + } + ] + } + + + @@ -57,0 +94,23 @@ The following is an inline policy that grants this permission. Replace `<account +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "PassRolePermissions", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::111122223333:role/example-role-name>" + ] + } + ] + } + +