AWS AmazonS3 documentation change
Summary
Updated documentation to change the recommended integration method from Amazon SageMaker Lakehouse to AWS Glue Data Catalog for accessing S3 table buckets. Removed references to AWS Lake Formation and updated access control information to focus on IAM permissions.
Security assessment
The change does not reference any security vulnerability or incident. It updates the integration method and removes the section about Lake Formation's fine-grained access control, which was a security feature. However, the change adds notes about IAM permissions, which are a fundamental security control, but does not introduce new security documentation. The overall change is a shift in the recommended architecture and not a direct response to a security issue.
Diff
diff --git a/AmazonS3/latest/userguide/s3-tables-access.md b/AmazonS3/latest/userguide/s3-tables-access.md index 8f783330a..eeedfd512 100644 --- a//AmazonS3/latest/userguide/s3-tables-access.md +++ b//AmazonS3/latest/userguide/s3-tables-access.md @@ -5 +5 @@ -Accessing tables through the Amazon SageMaker Lakehouse integrationAccessing tables directly +Accessing tables through the AWS Glue Data Catalog integrationAccessing tables directly @@ -9 +9 @@ Accessing tables through the Amazon SageMaker Lakehouse integrationAccessing tab -There are multiple ways to access tables in Amazon S3 table buckets, you can integrate tables with AWS analytics services using Amazon SageMaker Lakehouse, or access tables directly using the Amazon S3 Tables Iceberg REST endpoint or the Amazon S3 Tables Catalog for Apache Iceberg. The access method you use will depend on your catalog setup, governance model, and access control needs. The following is an overview of these access methods. +There are multiple ways to access tables in Amazon S3 table buckets. You can integrate tables with AWS analytics services using AWS Glue Data Catalog, or access tables directly using the Amazon S3 Tables Iceberg REST endpoint or the Amazon S3 Tables Catalog for Apache Iceberg. The access method you use will depend on your catalog setup, governance model, and access control needs. The following is an overview of these access methods. @@ -11 +11 @@ There are multiple ways to access tables in Amazon S3 table buckets, you can int -**Amazon SageMaker Lakehouse integration** +**AWS Glue Data Catalog integration** @@ -14 +14 @@ There are multiple ways to access tables in Amazon S3 table buckets, you can int -This is the recommended access method for working with tables in S3 table buckets. The integration gives you unified table management, centralized governance, and fine-grained access control across multiple AWS analytics services. After integration, you can query tables in services such as Athena and Amazon Redshift. +This is the recommended access method for working with tables in S3 table buckets. This integration gives you a unified view of your data estate across multiple AWS analytics services through the AWS Glue Data Catalog. After integration, you can query tables using services such as Athena and Amazon Redshift. Access to tables is managed using IAM permissions. To access tables using this integration, the IAM identity you use needs access to your S3 Tables resources and actions, AWS Glue Data Catalog objects, and the query engine you're using. For more information, see [Access management for S3 Tables](./s3-tables-setting-up.html). @@ -19 +19 @@ This is the recommended access method for working with tables in S3 table bucket -Use this method if you need to work with AWS Partner Network (APN) catalog implementations, custom catalog implementations, or if you only need to perform basic read/write operations on tables within a single table bucket. +Use this method if you need to work with AWS Partner Network (APN) catalog implementations, custom catalog implementations, or if you only need to perform basic read/write operations on tables within a single table bucket. Access to tables is managed using IAM permissions. To access tables, the IAM identity you use needs access to your table resources and S3 Tables actions. For more information, see [Access management for S3 Tables](./s3-tables-setting-up.html). @@ -21 +21 @@ Use this method if you need to work with AWS Partner Network (APN) catalog imple -###### Note +## Accessing tables through the AWS Glue Data Catalog integration @@ -23,7 +23 @@ Use this method if you need to work with AWS Partner Network (APN) catalog imple -To access tables the IAM identity you use needs access to your table resources and S3 Tables actions. For more information, see [Access management for S3 Tables](./s3-tables-setting-up.html). - -## Accessing tables through the Amazon SageMaker Lakehouse integration - -You can integrate S3 table buckets with Amazon SageMaker Lakehouse to access tables from AWS analytics services, such as Amazon Athena, Amazon Redshift, and Quick. Amazon SageMaker Lakehouse unifies your data across Amazon S3 data lakes and Amazon Redshift data warehouses, so you can build analytics, machine learning (ML), and generative AI applications on a single copy of data. The integration populates the AWS Glue Data Catalog with your table resources, and federates access to these resources with AWS Lake Formation. For more information on integrating, see [Integrating Amazon S3 Tables with AWS analytics services](./s3-tables-integrating-aws.html). - -The integration enables fine-grained access control through AWS Lake Formation to provide additional security. Lake Formation uses a combination of its own permissions model and the IAM permissions model to control access to table resources and underlying data. This means that a request to access your table must pass permission checks by both IAM and Lake Formation. For more information, see [Lake Formation permissions overview](https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-overview.html) in the _AWS Lake Formation Developer Guide_. +You can integrate S3 table buckets with AWS Glue Data Catalog to access tables from AWS analytics services, such as Amazon Athena, Amazon Redshift, and Quick. The integration populates the AWS Glue Data Catalog with your table resources, and federates access to those resources. For more information on integrating, see [Integrating Amazon S3 Tables with AWS analytics services](./s3-tables-integrating-aws.html). @@ -52 +46 @@ The following AWS analytics services can access tables through this integration: -Once your S3 table buckets are integrated with Amazon SageMaker Lakehouse, you can also use the AWS Glue Iceberg REST endpoint to connect to S3 tables from third-party query engines that support Iceberg. For more information, see [Accessing Amazon S3 tables using the AWS Glue Iceberg REST endpoint](./s3-tables-integrating-glue-endpoint.html). +Once your S3 table buckets are integrated with AWS Glue Data Catalog, you can also use the AWS Glue Iceberg REST endpoint to connect to S3 tables from third-party query engines that support Iceberg. For more information, see [Accessing Amazon S3 tables using the AWS Glue Iceberg REST endpoint](./s3-tables-integrating-glue-endpoint.html). @@ -67 +61 @@ You can access tables directly from open source query engines through methods th -We recommend direct access if you access tables in self-managed catalog implementations, or only need to perform basic read/write operations on tables in a single table bucket. For other access scenarios, we recommend the Amazon SageMaker Lakehouse integration. +We recommend direct access if you access tables in self-managed catalog implementations, or only need to perform basic read/write operations on tables in a single table bucket. For other access scenarios, we recommend the AWS Glue Data Catalog integration. @@ -69 +63 @@ We recommend direct access if you access tables in self-managed catalog implemen -Direct access to tables is managed through either IAM identity-based policies or resource-based policies attached to tables and table buckets. You do not need to manage Lake Formation permissions for tables when you access them directly. +Direct access to tables is managed through either IAM identity-based policies or resource-based policies attached to tables and table buckets.