Skip to content

Lake Formation Access Control

Note: This documentation is also available in a rendered format here.

Deploys Lake Formation fine-grained access grants for databases and tables, supporting federated users/groups, IAM roles, and cross-account resource links. This module should be used to manage LF grants to Glue resources created outside of MDAA. For Glue resources created within the DataOps Project module, grants can be configured within the module itself. Use this module when you need to grant specific users, groups, or roles read, write, or admin access to Glue databases and tables that were created outside of your DataOps projects.

Deployed Resources

This module deploys and integrates the following resources:

Lake Formation Access Grants - Grants deployed for each specification in the config.

  • Database or table scoped grants (read, write, or super)
  • Supports role, federated user, and federated group principals

Lake Formation Cross Account Resource Link Grants - Optional cross-account describe grants pointing to resource links.

LakeFormation

  • Lake Formation Settings — Configure account-level Lake Formation admin roles and IAM Allowed Principals behavior before deploying access grants
  • Data Lake — Data lake buckets register Lake Formation locations that this module can grant access to
  • DataOps Project — DataOps projects can configure Lake Formation grants directly; use this module for Glue resources created outside of MDAA
  • Roles — Create IAM roles that can be used as principals for Lake Formation grants
  • Glue Catalog Settings — Configure cross-account Glue Catalog access for resource link grants

Security/Compliance Details

This module is designed in alignment with MDAA security/compliance principles and CDK nag rulesets. Additional review is recommended prior to production deployment, ensuring organization-specific compliance requirements are met.

  • Least Privilege:
    • Fine-grained Lake Formation grants at database and table level
    • Three permission tiers: read (SELECT/DESCRIBE), write (INSERT/DELETE), and super (ALTER/DROP)
  • Separation of Duties:
    • Supports SAML-federated users and groups via IAM identity providers
    • Cross-account resource links with describe grants for data mesh/hub-spoke architectures

Configuration

MDAA Config

Add the following snippet to your mdaa.yaml under the modules: section of a domain/env in order to use this module:

lakeformation-access-control: # Module Name can be customized
  module_path: '@aws-mdaa/lakeformation-access-control' # Must match module NPM package name
  module_configs:
    - ./lakeformation-access-control.yaml # Filename/path can be customized

Module Config Samples and Variants

Copy the contents of the relevant sample config below into the ./lakeformation-access-control.yaml file referenced in the MDAA config snippet above.

Minimal Configuration

Required properties only — a single IAM role principal with a basic database grant. Start here for a straightforward Lake Formation grant to one role on one database.

sample-config-minimal.yaml

# Contents available via above link
# Minimal LakeFormation Access Control module configuration.
# Contains only required properties for a basic grant.

# Principals referenced by grants
principals:
  principalA:
    # See CONFIGURATION.md for role reference options (name, arn, id).
    role:
      name: Admin

# Lake Formation grants
grants:
  example_grant:
    database: example_database
    principals:
      - principalA

Comprehensive Configuration

All optional properties covered — federation providers, federated user/group and IAM role principals, database and table-scoped permissions, and local/cross-account resource links. Start here when evaluating all available options for principal types, permission tiers, and cross-account resource link grants.

sample-config-comprehensive.yaml

# Contents available via above link
# Comprehensive sample config for the LakeFormation Access Control module.
# Exercises ALL non-excluded properties from config-schema.json at full depth,
# including all enum values, optional fields, and cross-account scenarios.

# (Optional) Maps federation provider logical names to IAM SAML identity provider ARNs.
# Referenced by PrincipalConfig.federationProvider to resolve federated identities.
federationProviders:
  # Multiple providers to demonstrate multi-provider federation
  ExampleProvider: arn:{{partition}}:iam::{{account}}:saml-provider/test-provider
  SecondaryProvider: arn:{{partition}}:iam::{{account}}:saml-provider/secondary-provider

# Named principal definitions for Lake Formation grant assignment.
# Supports federated groups, federated users, and IAM roles.
principals:
  # Federated group principal (requires federationProvider)
  fedGroupPrincipal:
    federatedGroup: test-group1
    federationProvider: ExampleProvider

  # Federated user principal (requires federationProvider)
  fedUserPrincipal:
    federatedUser: test-user@example.com
    federationProvider: ExampleProvider

  # Federated group using secondary provider
  secondaryGroupPrincipal:
    federatedGroup: secondary-group
    federationProvider: SecondaryProvider

  # IAM role principal referenced by name
  roleByNamePrincipal:
    # See CONFIGURATION.md for role reference options (name, arn, id).
    role:
      name: Admin

  # IAM role principal referenced by ARN
  roleByArnPrincipal:
    role:
      arn: arn:{{partition}}:iam::{{account}}:role/Admin

  # IAM role principal referenced by unique ID
  roleByIdPrincipal:
    role:
      id: AROAEXAMPLEID12345

  # IAM role with immutable flag (externally managed, not modified by MDAA)
  immutableRolePrincipal:
    role:
      name: ExternallyManagedRole
      immutable: true

  # IAM role with SSO flag (AWS IAM Identity Center auto-generated role)
  ssoRolePrincipal:
    role:
      name: AWSReservedSSO_ReadOnlyAccess
      sso: true

# Named Lake Formation grant configurations defining database/table-level access control.
# Each grant specifies a target database, optional tables, permission levels, and recipient principals.
grants:
  # Grant with 'read' permissions (default) on specific tables
  read_grant:
    database: example_database
    # databasePermissions: read → [DESCRIBE]
    databasePermissions: read
    # tablePermissions: read → [SELECT, DESCRIBE]
    tablePermissions: read
    tables:
      - example_table1
    principals:
      - fedGroupPrincipal
      - fedUserPrincipal

  # Grant with 'write' permissions on specific tables
  write_grant:
    database: example_database
    # databasePermissions: write → [DESCRIBE, CREATE_TABLE, ALTER]
    databasePermissions: write
    # tablePermissions: write → [SELECT, DESCRIBE, INSERT, DELETE]
    tablePermissions: write
    tables:
      - example_table2
    principals:
      - roleByNamePrincipal

  # Grant with 'super' permissions (full admin) on wildcard tables
  super_grant:
    database: admin_database
    # databasePermissions: super → [DESCRIBE, CREATE_TABLE, ALTER, DROP]
    databasePermissions: super
    # tablePermissions: super → [SELECT, DESCRIBE, INSERT, DELETE, ALTER, DROP]
    tablePermissions: super
    # Wildcard '*' grants on all tables in the database
    tables:
      - '*'
    principals:
      - roleByArnPrincipal
      - immutableRolePrincipal

  # Database-only grant (no tables specified → only database-level permissions apply)
  database_only_grant:
    database: metadata_database
    databasePermissions: read
    principals:
      - secondaryGroupPrincipal
      - ssoRolePrincipal

  # Multi-principal grant covering all principal types
  multi_principal_grant:
    database: shared_database
    databasePermissions: write
    tablePermissions: read
    tables:
      - shared_table
    principals:
      - fedGroupPrincipal
      - fedUserPrincipal
      - roleByNamePrincipal
      - roleByIdPrincipal

# (Optional) Named resource link configurations for cross-account database sharing.
# Each resource link creates a local Glue database reference pointing to a database in another account.
resourceLinks:
  # Local resource link (fromAccount omitted → created in local/deployment account)
  local_resource_link:
    targetDatabase: example_database
    # Principals granted DESCRIBE access to the resource link
    grantPrincipals:
      - roleByNamePrincipal
      - fedGroupPrincipal

  # Cross-account resource link with explicit target account
  cross_account_resource_link:
    targetDatabase: remote_database
    # AWS account ID where the target database exists
    targetAccount: '{{context:account-2}}'
    grantPrincipals:
      - roleByArnPrincipal

  # Resource link created in a remote account (fromAccount specified)
  # fromAccount must match an account in additional_stacks for cross-account deployment
  remote_resource_link:
    targetDatabase: another_remote_database
    # Account where the resource link will be created (must be in additional_stacks)
    fromAccount: '{{context:account-2}}'
    # Account where the target database exists
    targetAccount: '{{context:account-2}}'
    grantPrincipals:
      - fedGroupPrincipal
      - fedUserPrincipal

  # Minimal resource link (only required targetDatabase)
  minimal_resource_link:
    targetDatabase: minimal_target_database

Config Schema Docs