Lake Formation Permissions

Question

Lake Formation Permissions

Closed this issue a month ago · 6 comments

User Story

Link here - https://moj.enterprise.slack.com/archives/C01A7QK5VM1/p1729259119036229?thread_ts=1729247612.922859&cid=C01A7QK5VM1

The data sharing with lake formation sits within the data engineering role, but long term it probably makes separate into a distinct role that data engineers may also be able to assume, but could equally sit with the data owner or whatever.

Value / Purpose

Security.

Useful Contacts

No response

Additional Information

No response

Definition of Done

Reviewed Role
Decided if a new role should be required
Created Role

Answer 1 · 2024-11-15T22:47:56.000Z

Assuming that a large part of this is a requirement to add LakeFormation administrators, could this be solved by customers using the aws_lakeformation_data_lake_settings resource?

Answer 2 · 2024-11-18T09:47:06.000Z

So having a specific role for this is because..

makes separate into a distinct role that data engineers may also be able to assume, but could equally sit with the data owner or whatever.

that way data owners dont have total power?

Initially we said this about RAM permissions in the slack thread..

We've had a chat within the team regarding this PR and we're declining to approve it for the following two reasons:
It would allow cross-account sharing of data (e.g. from production to sandbox) which is something we specifically try and avoid.
The permissions would allow a user of that sandbox account to destroy any existing RAM shares.

I have reached out to Matthew Price about this to confirm the current blockers, I dont think there are any as they can do what is required in the data engineering role, but I wanted to know the drive for separating that out to another role that could be assumed

Answer 3 · 2024-11-18T11:32:44.000Z

Relevant PRs from the Slack thread:

#8280
#8282

Answer 4 · 2024-11-18T13:00:32.000Z

I have also discussed this with @matt-heery and @pricemg . They have tried to make use of the aws_lakeformation_data_lake_settings resource but their needs go beyond simple creation of administrators. I can see on the AWS Provider GitHub issues tracker a number of issues related to how this resource fails to properly strip permissions which explains the need to be able to intervene through the AWS Console. Those requirements are covered in both our sandbox and data-engineer roles.

The requirement for permissions to create RAM shares comes down to how they are embedded within the LakeFormation actions - you can see the AWS Managed Policy AWSLakeFormationCrossAccountManager for more detail.

The easiest way to meet the customer need in the short term would be to either attach AWSLakeFormationCrossAccountManager to the data engineering SSO role through aws_ssoadmin_managed_policy_attachment, or replicating the content of that policy into the attached IAM policy.

Answer 5 · 2024-11-18T16:37:50.000Z

NB. Matt & Matthew will raise a GitHub issue in this repository detailing their longer-term needs for us to evaluate and act on.

Answer 6 · 2024-11-22T12:10:04.000Z

I've reviewed this issue & moving to done.