AWS lake-formation documentation change
Summary
Added documentation requiring non-admin users to be granted DATA_LOCATION_ACCESS permissions when creating federated catalogs, including an example CLI command.
Security assessment
The change documents required permissions for non-admin users to prevent access issues but doesn't address a specific security vulnerability. It adds security-related documentation about permission requirements.
Diff
diff --git a/lake-formation/latest/dg/create-fed-catalog-data-source.md b/lake-formation/latest/dg/create-fed-catalog-data-source.md index 9e7e27771..474083e28 100644 --- a//lake-formation/latest/dg/create-fed-catalog-data-source.md +++ b//lake-formation/latest/dg/create-fed-catalog-data-source.md @@ -111 +111,21 @@ AWS CLI - 3. The following example shows how to create a federated catalog. + 3. If you are not a data lake administrator, grant `DATA_LOCATION_ACCESS` on the registered connection to the principal that creates the federated catalog. A data lake administrator has implicit data location permissions and does not need this grant. For more information, see [Implicit Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/implicit-permissions.html). + +The following example shows how to grant `DATA_LOCATION_ACCESS` on a registered connection. + + aws lakeformation grant-permissions \ + --cli-input-json \ + '{ + "Principal": { + "DataLakePrincipalIdentifier": "arn:aws:iam::123456789012:role/non-admin-role" + }, + "Resource": { + "DataLocation": { + "CatalogId": "123456789012", + "ResourceArn": "arn:aws:glue:us-east-1:123456789012:connection/connection-name" + } + }, + "Permissions": ["DATA_LOCATION_ACCESS"] + }' + + + 4. The following example shows how to create a federated catalog.