One of the key features of AWS Lake formation is its ability to secure access to data in your data lake. Lake Formation provides its own permissions model that augments the AWS Identity and Access Management (IAM) permissions model. For this workshop, we will secure access to the data imported into the TPC catalog. As a refresher, we have four different personas in this workshop.
- Admin user (lf-admin): Is a user that has administrative privileges that allow him to access. Admin user
will be able to access the Data Catalog, Data location along with implicit grants of additional Lake Formation permissions
- Developer (lf-developer): is a user who has full access to the web_page and web_sales
tables. Using this user, we will demonstrate how to provide table-based access control.
- Business Analyst (lf-business-analyst): This user has access to the customer table but doesn't have access to PII
columns (e.g. first name, last name, birth info). Using this user, we will demonstrate how to provide column-based access control on a table.
- Campaign Manager (lf-campaign-manager): is a user that has access to only those resources that are
tagged with campaign. Using this user, we will demonstrate how to provide LF tag-based access control on
a different Data Catalog objects.
The following chart shows a summary of different users and their permissions to different objects:
Lake Formation blueprints will create a few temp tables for the ingestion process, all temp table names will start with underscore (_) as prefix, for example: _dl_tpc_customer. Rest of the exercises will EXCLUDE all temp tables.
Let's go ahead and apply these permissions in the Lake Formation.