AWS lake-formation documentation change
Summary
Added clarification that partition operations (CreatePartition, BatchCreatePartition, UpdatePartition) do not require data location permissions when the partition location is a child of an already registered table location.
Security assessment
This change clarifies existing permission behavior for partition operations. It documents a specific condition under which data location permissions are not required, which is a refinement of access control rules but does not indicate a security vulnerability or weakness. The change is informational and helps users understand the security model better, but there is no evidence of addressing a security issue.
Diff
diff --git a/lake-formation/latest/dg/access-control-underlying-data.md b/lake-formation/latest/dg/access-control-underlying-data.md index e40ae2701..71f2b97aa 100644 --- a//lake-formation/latest/dg/access-control-underlying-data.md +++ b//lake-formation/latest/dg/access-control-underlying-data.md @@ -138,0 +139,2 @@ Data location permissions govern the outcome of create and update operations on + * Partition operations (`CreatePartition`, `BatchCreatePartition`, `UpdatePartition`) do not require data location permissions when the partition location is a child of the table location already registered with Lake Formation. +