By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Provide Lake Formation access to view while denying access to underlying Table

0

I have a table that has sensitive information. TABLE_SENSITIVE I created a view on top of the table that masks the sensitive columns - VIEW_NON_SENSITIVE I want my user role to get access to the VIEW_NON_SENSITIVE, but I don't want the user role to be able to see or query TABLE_SENSITIVE.

Could this be achieved in Lake formation?

Topics
Analytics
Tags
Amazon AthenaAWS Lake Formation
Language
English
whodunit23
asked 7 months ago294 views
1 Answer
1

Hi, To restrict access to underlying data at an Amazon S3 site, utilize Lake Formation. On the Data Catalog tables pointing to that location, you may provide data access rights (SELECT, INSERT, and DELETE). To restrict the locations for which a principal may create or modify metadata tables, you can also provide a principal data location rights.

The actions listed below must be taken in order for you to succeed:

  • Register your table data's storage location on Amazon S3 with Lake Formation. To do this, you may make use of the Lake Formation console, the API, or the AWS CLI. Additionally, you must define an IAM role with read/write access to that location.
  • Using the Lake Formation interface, the API, or the AWS CLI, grant your user role the SELECT permission on the VIEW_NON_SENSITIVE table. Your user role will now be allowed to query the view but not the underlying table as a result.
  • Don't give your user role any permissions to view or locate data on the TABLE_SENSITIVE database. As a result, your user role won't be allowed to see or query the table.

The AWS documentation has further information and examples on how to issue permissions using Lake Formation.

https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html https://repost.aws/knowledge-center/athena-insufficient-lake-formation-permissions

I hope my answer was helpful. 🙂

profile picture
Soumyadeep Mandal
answered 7 months ago
  • whodunit23
    7 months ago

    No, this doesn't work. As the underlying table access is not provided, the select query on the view fails with below error. Any suggestions on this?

    Insufficient permissions to execute the query. line 1:15: Failed analyzing stored view 'VIEW_NON_SENSITIVE ': Insufficient Lake Formation permission(s) on TABLE_SENSITIVE This query ran against the "hnb_dl01_dev_cmds_curated" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: xxxxxx-xxxxxx-xxxxx-xxxx-2xxxxx69

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content