How to best handle lake formation row level security from a shared IAM role
We have a BI feature where a web app which uses non-aws authentication queries Athena for data which is hive partitioned by customer. Currently any BI query gets modified to filter data down to just the partition that the user has access to, but we would like to migrate to using the new row level security with lake formation.
Since the backend is currently running under a single IAM role with access to all data, what is the best way to go forward with this? Would we need to have a process that creates a LF filter for each customer/table combo, then create a IAM role for each customer and then grant the LF filters to each role and use STS to assume that customer role when invoking athena?
Is there an easier way with STS that can handle the filters and grants a little more dynamically without having to statically define each filter?
Create set of IAM roles based on user persona's and grant access to those data elements from Lake Foramtion to grant safer access to sensitive datasets. In turn those users can use same IAM role to create QuickSight or other dashboards using Athena as a soruce.
map these roles to on-prem AD group in case they are using Single-Sign-on.
Currently, you need to define each filter via the console or the APIs , ad then assign the permissions to each Roles , as you mentioned.
An example implementation is describe in this blog post.
If your customers need access to the their full partition, you grant access only via that specific web-app, and there is no need for additional filters at rows or cell level, you may not need to go for row or cell filtering.
Relevant questions
How best to build custom Cognito login pages for use with a server-side app?
Accepted Answerasked 3 years agoCross account access from Athena to S3
Accepted Answerasked 3 years agoUser defined groups and blue prints in Lake Formation
asked 3 years agoAccess error : Spark query from AWS EMR with AWS Lake Formation
asked 5 months agoWhich role do I have to use for the Fargate tasks on AWS Batch?
Accepted Answerasked 6 months agoAthena query: Insufficient Lake Formation permission(s): Illegal permission combination
asked 5 months agoIs it possible to specify DB snapshot in AWS Lake Formation?
Accepted Answerasked a year agoWhich service should we use for a freelancers marketplace web app?
asked 24 days agoHow to best handle lake formation row level security from a shared IAM role
asked 7 months agoGrouping of partitioned dataframes
asked 4 months ago
Please, note the question is if there is a different way to define the filters that is more dynamic.