By using AWS re:Post, you agree to the Terms of Use
/Glue "Column Level Access" without LakeFormation/

Glue "Column Level Access" without LakeFormation

0

Customer is going to implement a DataLake solution in an AWS region without LakeFormation and they want to implement the Column Level Access with AWS native IAM/Services. Is there any work around for this requirement?

asked 2 years ago12 views
1 Answers
0
Accepted Answer

With IAM , you can only work till a glue table. It’s access to table or not and on a S3 object ( file), it’s access to a file or not.

For fine grain access (RBAC/ABAC) on file contents ( rows and columns ), you would need EMR +Ranger which will provide you with an option to specify policies that can help with fine grain access. Since you have not mentioned how the customer wants to read the data ( ex EMR/Athena ), you can think of serving the data via redshift which has its own fine authorization constructs.

If you really want to achieve and have some breather to have copies of table definitions ( ex TableA_clear/TableA_priv which excludes the columns etc ) , then you can play with

https://docs.aws.amazon.com/athena/latest/ug/fine-grained-access-to-glue-resources.html And grant access to tables. Ideally , you are creating table definitions by removing the columns that you don’t want to show to some users ( proactively defining the ddls rather than run time policy binding that you get from Ranger or Lakeformation ) — not recommended at all.

I would also advise any customer to start exploring Lakeformation as it brings the centralized model of specifying and managing security and access policies over lake artifacts which are modeled to be used as databases and tables . Any reason why they are not willing to use Lakeformation?

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions