AWS Lake Formation protects your data by either granting access to or revoking access from one or more columns via permissions and data filters.
Note AWS Lake Formation does not support data masking.
When you create a data protection standard or data access rule, one or more permissions and data filters are created in AWS Lake Formation. Each permission includes a data filter to control access to data. Additionally, for a data protection standard, AWS Lake Formation tags (LF-tags) are created and assigned to columns.
Note In the following documentation, the term policies refers to AWS Lake Formation permissions and data filters.
Data filters
The following table contains the equivalent AWS Lake Formation data filter for a given Protect masking type.
| Protect masking type | Equivalent AWS Lake Formation data filter |
|---|---|
| Default masking | Exclude |
| Hashing | Exclude |
| Show last | Exclude |
| No masking | Include |
Each data filter belongs to a specific table in your AWS Data Catalog.
A data filter includes the following information:
- Name: The name of the data filter.
- Table: The name of the table whose columns are included or excluded.
- Database: The name of the database that contains the table.
- Columns: A list of columns to include or exclude in query results.
- Column-level access: The type of access—either include or exclude—for the columns.
- Row filter expression: An expression that specifies the rows to include in query results. The value TRUE indicates that all the rows in the table are shown.
Note Protect safeguards your data in AWS Lake Formation by aggregating all the data protection standards and rules so that a single data filter is created in AWS Lake Formation per table per group. If multiple standards or rules exist for excluding columns, a single data filter with all the columns excluded is created. If a rule is then created for including columns, a data filter with all the columns included is created and the previously excluded columns are no longer considered.
Revoking existing policies for an effective data protection
To effectively protect your AWS Lake Formation data using Protect, you must first revoke any existing AWS Lake Formation policies. Data protection standards and access rules control access to tables and columns for IAM users by creating policies in AWS Lake Formation. To ensure that these policies work as intended, any previous policies granted to those users must be revoked.
Example Suppose that Joe has full access to the customers table. If a data protection standard that hides PII is created and synchronized with AWS Lake Formation, policies are created for Joe. Those policies allow Joe only limited access to the customers table by excluding the PII columns. However, the policies will not work if Joe's existing full access to the customers table is not first revoked.