- Newest
- Most votes
- Most comments
You're correct. Data filters cannot be applied when using LF-Tags to manage permissions on Data Catalog resources. This is a limitation in AWS Lake Formation.
When you want to implement data filtering (column-level, row-level, or cell-level security), you must use the named resource method to grant permissions directly to the principals (such as IAM users and roles) rather than using LF-Tags.
To apply data filters correctly:
- Use the "Named Data Catalog resources" option when granting permissions in Lake Formation
- Specify the database, table, and data filter explicitly
- Grant the appropriate permissions (like SELECT and DESCRIBE) on the data filter to your principals
For example, when granting table permissions with a data filter:
- Choose "Named Data Catalog resources" (not LF-Tags)
- Select your specific database and table
- Create or select an existing data filter
- Grant the necessary permissions to your IAM role
This approach allows you to implement fine-grained access control at the column, row, or cell level while the LF-Tag based approach does not support this functionality.
Sources
Using AWS Lake Formation with Amazon Athena - AWS Lake Formation
Granting data filter permissions - AWS Lake Formation
Enforce fine-grained access control on data lake tables using AWS Glue 5.0 integrated with AWS Lake Formation | AWS Big Data Blog
Relevant content
- asked 4 years ago
- asked 2 months ago
- AWS OFFICIALUpdated 2 years ago
