Analytics and Search

Building a Data Lake with AWS Lake Formation - Fine-Grained Access Control and Data Catalog

Establish data lake governance with column-level and row-level fine-grained access control and tag-based management. This article covers integration with Glue Data Catalog and cross-account access.

約 3 分で読めます

Overview of Lake Formation

Lake Formation is a service that simplifies building, managing, and securing data lakes on S3. Traditionally, access control for S3 data lakes was managed through a combination of S3 bucket policies and IAM policies, making column-level and row-level control difficult. Lake Formation manages permissions at four levels - database, table, column, and row - and scales to data lakes with thousands of tables. It applies uniformly to queries from Athena, Redshift Spectrum, and EMR.

Access Control and Tag-Based Management

Lake Formation's permission model grants SELECT, INSERT, and DELETE permissions on databases, tables, and columns to principals (IAM users and roles). Row-level filters restrict access to only rows matching specific conditions, enabling controls such as allowing each department to view only its own data. LF-TBAC lets you attach tags to data (e.g., sensitivity=high) and set tag-based permissions for principals. When new tables are added, permissions are automatically applied if the tags match.

Cross-Account Access and Auditing

Lake Formation's cross-account sharing grants access permissions to tables and databases for other accounts within your Organizations. Using RAM (Resource Access Manager), you create resource links to display shared tables in the consumer account's Glue catalog. Data filters define row-level and cell-level access controls, allowing you to expose different data ranges from the same table to different departments. Integration with CloudTrail records audit logs of who accessed which columns of which tables. Lake Formation's tag-based access control (LF-TBAC) attaches tags to data assets and automatically grants permissions by matching principal tags, which is efficient for large-scale environments. For a comprehensive study of Lake Formation design patterns, refer to technical books on Amazon.

Lake Formation Pricing and Operations

Lake Formation itself incurs no additional charges. Costs depend on the underlying S3 storage, Glue crawlers and jobs, and Athena query usage. When using Lake Formation's transaction feature (Governed Tables), additional charges apply for transaction API calls and storage. Operational costs for permission management are significantly reduced by adopting LF-TBAC, which frees you from managing individual table and column permissions. We recommend registering data locations to place S3 paths under Lake Formation management and fully migrating from hybrid mode, which requires dual management of IAM policies and Lake Formation permissions.

Summary

Lake Formation provides fine-grained access control for S3 data lakes. Column-level and row-level permission management combined with LF-TBAC (tag-based access control) streamlines permission management in large-scale environments, while cross-account sharing enables secure data sharing within Organizations. CloudTrail integration records data access audit logs, building the foundation for data governance.

Related Services

AWS Lake FormationA service that simplifies building, managing, and securing data lakesAWS GlueA serverless ETL service that automates data extraction, transformation, and loadingAmazon AthenaA serverless query service that lets you analyze data in S3 using standard SQL

Related Articles

Data Governance with Amazon DataZone - Data Discovery, Sharing, and Access ControlLearn how to build a domain-based data catalog and implement data discovery, sharing, and access control through subscription workflows.Building a Data Lake with Amazon S3 and Lake Formation - Design Patterns and GovernanceExplore data lake design patterns using S3 as the storage foundation and Lake Formation for fine-grained access control. This article also covers ETL pipelines and cost optimization.Data Lake Governance - Centralized Access Control with AWS Lake FormationLearn about building, access control, and governance for data lakes using AWS Lake Formation. This article covers fine-grained column-level and row-level permission management for S3-based data lakes, along with Glue and Athena integration.

More on This Topic

Practical Use Cases for Amazon Quick - Department-Specific Scenarios and Workflow Automation Design PatternsExplore concrete use cases for sales, IT, and finance departments, along with design patterns for notifications, approvals, and multi-step workflows using Quick Flows.BI Dashboard Visualization - Building a Data-Driven Decision Platform with Amazon QuickSightExplains how to build interactive BI dashboards with Amazon QuickSight and a serverless data analytics platform with Athena integration. Covers high-speed visualization with the SPICE engine and practical methods for sharing insights across the organization.Building Blockchain Networks - Leveraging Distributed Ledgers with Amazon Managed Blockchain and QLDBExplains how to build blockchain networks with Amazon Managed Blockchain and use Amazon QLDB as a verifiable ledger database. Covers practical use cases such as supply chain management and ensuring transparency in financial transactions.Privacy-Preserving Data Collaboration with AWS Clean RoomsRun joint analysis across multiple companies without sharing or copying data. Learn about aggregation rules for preventing individual identification and Cryptographic Computing for encrypted analysis.Customer Identity Unification - Resolving Scattered Customer Data with AWS Entity ResolutionLearn how to perform entity resolution (record matching) on customer data using AWS Entity Resolution. This article covers ML-based matching, rule-based matching, privacy protection, and integration with Clean Rooms.Leveraging Third-Party Data with AWS Data Exchange - Data Procurement and Subscription ManagementProcure third-party data products via Marketplace and build automated delivery pipelines to S3. This article also covers how to productize and monetize your own data.Building a Data Lake with Amazon S3 and Lake Formation - Design Patterns and GovernanceExplore data lake design patterns using S3 as the storage foundation and Lake Formation for fine-grained access control. This article also covers ETL pipelines and cost optimization.Data Lake Governance - Centralized Access Control with AWS Lake FormationLearn about building, access control, and governance for data lakes using AWS Lake Formation. This article covers fine-grained column-level and row-level permission management for S3-based data lakes, along with Glue and Athena integration.

Similar Articles and Services

Data Lake Governance - Centralized Access Control with AWS Lake FormationLearn about building, access control, and governance for data lakes using AWS Lake Formation. This article covers fine-grained column-level and row-level permission management for S3-based data lakes, along with Glue and Athena integration.AWS Lake FormationA service that centralizes data lake construction, management, and security, providing column-level and row-level fine-grained access control for data on S3Building a Data Lake with Amazon S3 and Lake Formation - Design Patterns and GovernanceExplore data lake design patterns using S3 as the storage foundation and Lake Formation for fine-grained access control. This article also covers ETL pipelines and cost optimization.AWS Data Analytics and Data Lakes - The Integrated Ecosystem of Athena, Glue, Lake Formation, and RedshiftExplore the integrated data analytics stack of AWS Athena, Glue, Lake Formation, Redshift, and QuickSight, comparing it with Azure Synapse Analytics and GCP BigQuery to highlight AWS's advantages in ecosystem integration.