Posted On: May 10, 2021
AWS Lake Formation now supports tagging data lake resources (databases, tables and columns) and creating logical access control policies based on those tags. Tag-based access control (TBAC) decouples policy creation from resource creation which helps data stewards govern large number of databases, tables, and columns by removing the need to update policies every time a new resource is added to the data lake. TBAC ensures that governance can be scaled easily by replacing the policy definition from 1000s of resources down to a small number of logical tags.
With Lake Formation tag-based access control data stewards can define a tag ontology based on data classification and grant access based on tags to IAM principals and SAML principals or groups. Independently, data engineers can attach Tags to resources upon creation. Lake Formation evaluates the effective permissions based on tags at query-time to determine access.