AWS AmazonS3 documentation change
Summary
Restructured documentation to clarify Lake Formation permissions model, added details about metadata vs. data access permissions, and explained interaction between IAM and Lake Formation permissions.
Security assessment
The changes provide clearer documentation about security controls (Lake Formation permissions model) and explicitly explain how IAM and Lake Formation permissions interact. While this improves security understanding, there is no evidence of addressing a specific vulnerability or incident.
Diff
diff --git a/AmazonS3/latest/userguide/grant-permissions-tables.md b/AmazonS3/latest/userguide/grant-permissions-tables.md index 99040fdfd..39466301a 100644 --- a//AmazonS3/latest/userguide/grant-permissions-tables.md +++ b//AmazonS3/latest/userguide/grant-permissions-tables.md @@ -9 +9 @@ Granting Lake Formation permission on a table or database -After your table buckets are integrated with the AWS analytics services, Lake Formation manages access to your table resources. Lake Formation uses its own permissions model (Lake Formation permissions) that enables fine-grained access control for Data Catalog resources. Lake Formation requires that each IAM principal (user or role) be authorized to perform actions on Lake Formation–managed resources. For more information, see [Overview of Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-overview.html) in the _AWS Lake Formation Developer Guide_. For information about cross-account data sharing, see [Cross-account data sharing in Lake Formation](https://docs.aws.amazon.com/lake-formation/latest/dg/cross-account-permissions.html) in the _AWS Lake Formation Developer Guide_. +After your table buckets are integrated with the AWS analytics services, Lake Formation manages access to your tables and requires that each IAM principal (user or role) be authorized to perform actions them. Lake Formation uses its own permissions model (Lake Formation permissions) that enables fine-grained access control for Data Catalog resources. @@ -11 +11,7 @@ After your table buckets are integrated with the AWS analytics services, Lake Fo -Before IAM principals can access tables in AWS analytics services, you must grant them Lake Formation permissions on those resources. +For more information, see [Overview of Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-overview.html) in the _AWS Lake Formation Developer Guide_. + +There are two main types of permissions in AWS Lake Formation: + + 1. Metadata access permissions control the ability to create, read, update, and delete metadata databases and tables in the Data Catalog. + + 2. Underlying data access permissions control the ability to read and write data to the underlying Amazon S3 locations that the Data Catalog resources point to. @@ -13 +18,0 @@ Before IAM principals can access tables in AWS analytics services, you must gran -###### Note @@ -15 +19,0 @@ Before IAM principals can access tables in AWS analytics services, you must gran -If you're the user who performed the table bucket integration, you already have Lake Formation permissions to your tables. If you're the only principal who will access your tables, you can skip this step. You only need to grant Lake Formation permissions on your tables to other IAM principals. This allows other principals to access the table when running queries. For more information, see Granting Lake Formation permission on a table or database. @@ -17 +20,0 @@ If you're the user who performed the table bucket integration, you already have -You must grant other IAM principals Lake Formation permissions on your table resources to work with them in the following services: @@ -19 +22 @@ You must grant other IAM principals Lake Formation permissions on your table res - * Amazon Redshift +Lake Formation uses a combination of its own permissions model and the IAM permissions model to control access to Data Catalog resources and underlying data: @@ -21 +24 @@ You must grant other IAM principals Lake Formation permissions on your table res - * Amazon Data Firehose + * For a request to access Data Catalog resources or underlying data to succeed, the request must pass permission checks by both IAM and Lake Formation. @@ -23 +26 @@ You must grant other IAM principals Lake Formation permissions on your table res - * Amazon Quick Suite + * IAM permissions control access to the Lake Formation and AWS Glue APIs and resources, whereas Lake Formation permissions control access to the Data Catalog resources, Amazon S3 locations, and the underlying data. @@ -25 +27,0 @@ You must grant other IAM principals Lake Formation permissions on your table res - * Amazon Athena @@ -28,0 +31,5 @@ You must grant other IAM principals Lake Formation permissions on your table res +Lake Formation permissions apply only in the Region in which they were granted, and a principal must be authorized by a data lake administrator or another principal with the necessary permissions in order to be granted Lake Formation permissions. + +###### Note + +If you're the user who performed the table bucket integration, you already have Lake Formation permissions to your tables. If you're the only principal who will access your tables, you can skip this step. You only need to grant Lake Formation permissions on your tables to other IAM principals. This allows other principals to access the table when running queries. For more information, see Granting Lake Formation permission on a table or database.