LF Tag-based Permissions

Let's return to the Lake Formation console to set LF tag-based access control for the campaign manager user. You can assign policy tags to Data Catalog resources (databases, tables, and columns) to control access to those resources. Only principals that are granted matching policy tags (and principals that are granted access with the named resource method) can access the resources.

Create Policy Tags

  1. In the navigation pane, under Permissions, choose Policy tags. The Policy tags page will appear.
  2. Click on Add tag. In the Add policy tag dialog box, enter a key named group. For the values, add developer, analyst, and campaign as shown below:
  3. Click on Add tag to save them.

Assign LF Tags to Data Catalog Objects

In this section, we are going to assign the newly created tags to household_demographics table and few non-PII columns of the customer table. Let's follow these steps to apply tags to the tab:
  1. From the navigation pane, select Tables. Choose dl_tpc_household_demographics table, on the Actions menu, choose Edit tags The Edit policy tags: dl_tpc_household_demographics dialog box will appear.
  2. From the Assigned keys box, select group and for the Values, select campaign. Choose Save to finalize the selection.
Now, assign the same tag to few non-PII columns of the customer table:
  1. From the navigation pane, select Tables. Choose dl_tpc_customer table and go to the table details page.
  2. Click on Edit schema from the Schema section.
  3. From the dl_tpc_customer table, select few non-PII columns c_preferred_cust_flag, c_first_sales_date_sk, c_current_cdemo_sk, c_last_review_date_sk, and c_first_shipto_date_sk and click on Edit tags.
  4. Click on Assign new policy tag. Select group as the keys and for the Values, select campaign. Choose Save to finalize the selection.
  5. Click on Save as new version to save the schema with updated tags. You will be able to see all those assigned policy tags under the Policy tags section.
At this point, you created policy tag and assigned the tag to few data catalog objects. Now, proceed to the next section to assign the principal to those policies.

Apply LF Tags Security Policies

  1. Click on Grant button in the Data permissions window
  2. On the window that pops up, for IAM users and roles drop down select lf-campaign-manager as the user under the Principals section.
  3. Under the Policy tags or catalog resources section, keep the default selected option Resources matched by policy tags. Click on Add policy tag. Select group as Key and campaign as Values.
  4. Under the Column and table permissions, click on Select and Grant this policy.
  5. So far, you have applied LF tag-based access to few resources to the user lf-campaign-manager user. The user still doesn't have access to the tpc database. Click on Data permissions and then Grant. Under IAM users and roles, select lf-campaign-manager as the user.
  6. Under Policy tags or catalog resources, select Named data catalog resources. Select tpc from the dropdown. From the Database permissions section, select Describe and finally save the configuration using Grant button.
Let's now test out these data permissions we defined for different personas with Amazon Athena.