To perform actions in AWS Lake Formation, Protect uses an AWS connection. This AWS connection must be configured with an AWS IAM user that has the following permissions on all the specified services.
Copy
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action":
[
"athena:ListDataCatalogs",
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"cloudtrail:LookupEvents",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetConnections",
"glue:SearchTables",
"glue:GetTable",
"glue:GetTableVersions",
"glue:GetTables",
"lakeformation:AddLFTagsToResource",
"lakeformation:CreateDataCellsFilter",
"lakeformation:CreateLFTag",
"lakeformation:DeleteDataCellsFilter",
"lakeformation:DeleteLFTag",
"lakeformation:GetLFTag",
"lakeformation:GetResourceLFTags",
"lakeformation:GrantPermissions",
"lakeformation:ListDataCellsFilter",
"lakeformation:ListLFTags",
"lakeformation:ListPermissions",
"lakeformation:RemoveLFTagsFromResource",
"lakeformation:RevokePermissions",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:GetBucketAcl"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action":
[
"lakeformation:PutDataLakeSettings"
],
"Resource": "*"
}
]
}AWS APIs
The following table explains the functions of the AWS APIs that are used by Protect for AWS Lake Formation.
| AWS API | Function |
|---|---|
| athena | Gets information from the AWS Glue Data Catalog. Note Catalog ingestion for AWS databases is performed by using the Amazon Athena service. However, not all the databases ingested from Athena are AWS Lake Formation databases. Hence, Protect needs to identify if a database ingested from Athena is also recognized by AWS Lake Formation. This can be achieved by making an API call to Athena's ListDataCatalogs. |
| cloudtrail | Shows the audit log in Protect. |
| glue | Gets a list of tables for a database. |
| lakeformation |
|