Skip to content

Lake Formation Settings

Note: This documentation is also available in a rendered format here.

Configures account-level Lake Formation settings including administrator roles, default IAM Allowed Principals behavior, DataZone admin role creation, and IAM Identity Center integration. Use this module as a prerequisite when setting up Lake Formation-based data governance, to establish admin roles and control whether new Glue resources default to IAM or Lake Formation permissions.

⚠️ Account-Level Module — This module can only be deployed once per AWS account. A second deployment to the same account will fail. See Account-Level Modules for details.

Deployed Resources

This module deploys and integrates the following resources:

LakeFormation Settings - Configures LakeFormation administrator roles and default permissions behavior for IAM Allowed Principals on new Glue Databases/Tables.

DataZone Manage Access Role (Optional) - IAM role with cross-account trust for centralized DataZone data governance, with ARN stored in SSM Parameter Store.

IAM Identity Center Configuration (Optional) - Configures Lake Formation integration with IAM Identity Center for SSO-based access.

LakeFormationSettings

  • Lake Formation Access Control — Deploy fine-grained Lake Formation grants after configuring account-level settings with this module
  • Data Lake — Data lake Lake Formation locations require admin roles configured by this module
  • DataZone — DataZone domains integrate with Lake Formation admin roles configured here
  • SageMaker (Domain) — SageMaker domains integrate with Lake Formation admin roles configured here
  • Glue Catalog Settings — Configure Glue Catalog encryption alongside Lake Formation settings for the account

Security/Compliance Details

This module is designed in alignment with MDAA security/compliance principles and CDK nag rulesets. Additional review is recommended prior to production deployment, ensuring organization-specific compliance requirements are met.

  • Least Privilege:
    • Lake Formation admin roles (lakeFormationAdminRoles) control all data access grants
    • IAM Allowed Principals default configurable (disable for strict LF-only governance)
    • Optional CDK deploy role as LF admin for automated deployments
  • Separation of Duties:
    • DataZone admin role with cross-account trust for centralized data governance
    • IAM Identity Center integration for SSO-based Lake Formation access

Configuration

MDAA Config

Add the following snippet to your mdaa.yaml under the modules: section of a domain/env in order to use this module:

lakeformation-settings: # Module Name can be customized
  module_path: '@aws-mdaa/lakeformation-settings' # Must match module NPM package name
  module_configs:
    - ./lakeformation-settings.yaml # Filename/path can be customized

Module Config Samples and Variants

Copy the contents of the relevant sample config below into the ./lakeformation-settings.yaml file referenced in the MDAA config snippet above.

Minimal Configuration

Required properties only — Lake Formation admin roles and IAM Allowed Principals default. Start here for basic account-level Lake Formation setup with an admin role.

sample-config-minimal.yaml

# Contents available via above link
# Minimal Lake Formation Settings module configuration.
# Contains only required properties for account-level LF settings.

# Lake Formation admin role references
lakeFormationAdminRoles:
  - name: Admin

# Whether to add IAM_ALLOWED_PRINCIPALS by default to new
# databases and tables
iamAllowedPrincipalsDefault: true

Comprehensive Configuration

Covers Lake Formation admin roles, IAM permission defaults, cross-account sharing, DataZone integration, and IAM Identity Center integration for centralized data governance. Start here when evaluating all available options for admin roles, SSO integration, and cross-account DataZone governance.

sample-config-comprehensive.yaml

# Contents available via above link
# Comprehensive Lake Formation Settings module configuration.
# Covers ALL non-excluded properties at full depth including
# Lake Formation admin roles, IAM permission defaults,
# cross-account sharing, DataZone integration, and IAM Identity
# Center integration for centralized data governance.

# Lake Formation admin role references (required).
# Roles can be referenced by name (auto-expanded to ARN), by explicit ARN,
# by MDAA-generated role ID, or as SSO-managed roles.
lakeFormationAdminRoles:
  # Role by name (auto-expanded to ARN at deploy time)
  - name: Admin
  # Role by ARN
  - arn: arn:{{partition}}:iam::{{account}}:role/LakeFormationCrossAccountAdmin
    immutable: true
  # Role by ARN
  - arn: arn:{{partition}}:iam::{{account}}:role/LakeFormationAdmin
  # SSO-managed role (resolved from IAM Identity Center)
  - name: SSOLakeFormationAdmin
    sso: true

# (Required) Controls whether IAM_ALLOWED_PRINCIPALS is added by
# default to new databases and tables. When true, Lake Formation
# defers to IAM policies on Glue catalog resources. When false,
# all permissions must be managed exclusively in Lake Formation.
iamAllowedPrincipalsDefault: true

# (Optional) When true, adds the CDK execution role as a Lake
# Formation admin so CDK deployments can manage Lake Formation
# resources without manual setup.
createCdkLFAdmin: true

# (Optional) When true, creates a dedicated Lake Formation admin
# role for DataZone so DataZone can manage Lake Formation
# permissions in this account.
createDataZoneAdminRole: true

# (Optional) Additional account IDs added to the DataZone admin
# role's trust policy, allowing DataZone in those accounts to
# manage Lake Formation in this account. Requires
# createDataZoneAdminRole: true.
dataZoneAdminTrustAccounts:
  - '{{account}}'

# (Optional) Lake Formation cross-account sharing version.
# Controls which cross-account sharing features are available
# for data mesh and multi-account architectures.
crossAccountVersion: '4'

# (Optional) IAM Identity Center integration for Lake Formation,
# enabling SSO-based data lake access and optional cross-account
# or org sharing via RAM.
iamIdentityCenter:
  # (Required) IAM Identity Center instance ID
  instanceId: ssoins-test-instance-id
  # (Optional) Accounts, organizations, or OUs to share Lake
  # Formation services with via IAM Identity Center
  shares:
    # Share with a specific account
    - '{{account}}'
    # Share with an entire organization
    - 'arn:{{partition}}:organizations::{{account}}:organization/o-exampleorgid'
    # Share with a specific organizational unit
    - 'arn:{{partition}}:organizations::{{account}}:ou/o-exampleorgid/ou-exampleouid'

Config Schema Docs