Skip to content

Lakeformation Settings

The LakeFormation Settings CDK application is used to configure an account's LakeFormation Settings, including administrator roles and default permissions for databases/tables. The LakeFormation Settings app should be deployed only once per account.

Deployed Resources and Compliance Details

LakeFormationSettings

LakeFormation Settings - Deployed to configure LakeFormation admins and default permissions

  • Data Lake Administrator access granted to lakeFormationAdminRoles
  • Controls default LF behaviour for IAM Allowed Principals on new Glue Databases/Tables
  • IAM Allowed Principals defaults should be disabled when using LakeFormation

Configuration

MDAA Config

Add the following snippet to your mdaa.yaml under the modules: section of a domain/env in order to use this module:

lakeformation-settings: # Module Name can be customized
  module_path: '@aws-mdaa/lakeformation-settings' # Must match module NPM package name
  module_configs:
    - ./lakeformation-settings.yaml # Filename/path can be customized

Module Config (./lakeformation-settings.yaml)

Config Schema Docs

# The list of Lake Formation Admin role references
lakeFormationAdminRoles:
  - name: Admin

# If true, LakeFormation will add IAM_ALLOWED_PRINCIPALS
# permission by default to all new databases and tables.
# This results in LakeFormation deferring to IAM permissions
# which may have been granted via IAM policies directly against
# Glue catalog resources.
# If false (default), all permissions must be managed exclusively within
# LakeFormation.
iamAllowedPrincipalsDefault: true

# If set to true, MDAA will assign the CDK deploy role as an LZ admin
createCdkLFAdmin: true

# If set to true, MDAA will create a Data Zone Admin role and assign
# as an LZ admin
createDataZoneAdminRole: true

# Optional - If specified, the assume role trust policy for the datazone LF admin role will allow additional accounts
# datazone to manage LF in this account from specified accounts. This is useful when this account is associated to
# a Datazone/SageMaker in another account
dataZoneAdminTrustAccounts:
  - trusted-account-num

# If specified, Lakeformation will be integrated with IAM identity center
iamIdentityCenter:
  # The IAM Identity Center instance ID
  instanceId: ssoins-test-instance-id
  # (Optional) - Accounts, Orgs, Organizational Units with which to share LakeFormation services via IAM Identity Center
  shares:
    # Example of an account to be shared with
    - 'test-account'
    # Example of an Org Id to be shared with
    - 'arn:aws:organizations::test-account:organization/test-org-id'
    # Example of an OU to be shared with
    - 'arn:aws:organizations::test-account:ou/test-org-id/test-ou-id'