AWS Security ChangesHomeSearch

AWS lake-formation documentation change

Service: lake-formation · 2026-06-28 · Documentation low

File: lake-formation/latest/dg/connect-data-source-prerequisites.md

Summary

Added documentation about DATA_LOCATION_ACCESS permission requirement for federated catalogs with CLI grant example.

Security assessment

New section explains permission requirements for non-admin users to create federated catalogs, including a CLI example for granting DATA_LOCATION_ACCESS. This documents security controls but doesn't address a specific vulnerability.

Diff

diff --git a/lake-formation/latest/dg/connect-data-source-prerequisites.md b/lake-formation/latest/dg/connect-data-source-prerequisites.md
index e3494eefe..8337f6e4c 100644
--- a//lake-formation/latest/dg/connect-data-source-prerequisites.md
+++ b//lake-formation/latest/dg/connect-data-source-prerequisites.md
@@ -139,0 +140,20 @@ If you're not a data lake administrator, you need the Lake Formation `CREATE_CAT
+In addition to the `CREATE_CATALOG` permission, you need `DATA_LOCATION_ACCESS` on the registered connection to create a federated catalog. A data lake administrator has implicit data location permissions and does not need this grant. For more information, see [Implicit Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/implicit-permissions.html).
+
+The following example shows how to grant `DATA_LOCATION_ACCESS` on a registered connection.
+        
+                aws lakeformation grant-permissions \
+          --cli-input-json \
+            '{
+              "Principal": {
+                "DataLakePrincipalIdentifier": "arn:aws:iam::123456789012:role/non-admin-role"
+              },
+              "Resource": {
+                "DataLocation": {
+                  "CatalogId": "123456789012",
+                  "ResourceArn": "arn:aws:glue:us-east-1:123456789012:connection/connection-name"
+                }
+              },
+              "Permissions": ["DATA_LOCATION_ACCESS"]
+            }'
+                    
+