hello, in planning phase of a Datalake project and came across LakeFormation which seems to be the preferred way. I understand that essentially it is a group of S3 buckets so resiliency & durability is not an issue.
First I want to understand encryption of data at rest in S3 buckets. Should it be AWS managed keys, or customer managed KMS keys in same account or customer managed KMS keys from different account? Second the number of IAM roles best on least privilege principal. Are there a set number of roles that should be created with set policies based on function like analyst, administrator etc?
Any other gotchas that I should be aware? Would appreciate hearing from anyone having experience.