AWS lake-formation documentation change
Summary
Added documentation about DATA_LOCATION_ACCESS permission requirement for federated catalogs with CLI grant example.
Security assessment
New section explains permission requirements for non-admin users to create federated catalogs, including a CLI example for granting DATA_LOCATION_ACCESS. This documents security controls but doesn't address a specific vulnerability.
Diff
diff --git a/lake-formation/latest/dg/connect-data-source-prerequisites.md b/lake-formation/latest/dg/connect-data-source-prerequisites.md index e3494eefe..8337f6e4c 100644 --- a//lake-formation/latest/dg/connect-data-source-prerequisites.md +++ b//lake-formation/latest/dg/connect-data-source-prerequisites.md @@ -139,0 +140,20 @@ If you're not a data lake administrator, you need the Lake Formation `CREATE_CAT +In addition to the `CREATE_CATALOG` permission, you need `DATA_LOCATION_ACCESS` on the registered connection to create a federated catalog. A data lake administrator has implicit data location permissions and does not need this grant. For more information, see [Implicit Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/implicit-permissions.html). + +The following example shows how to grant `DATA_LOCATION_ACCESS` on a registered connection. + + aws lakeformation grant-permissions \ + --cli-input-json \ + '{ + "Principal": { + "DataLakePrincipalIdentifier": "arn:aws:iam::123456789012:role/non-admin-role" + }, + "Resource": { + "DataLocation": { + "CatalogId": "123456789012", + "ResourceArn": "arn:aws:glue:us-east-1:123456789012:connection/connection-name" + } + }, + "Permissions": ["DATA_LOCATION_ACCESS"] + }' + +