Posted On: Nov 18, 2022
Cross-account sharing version 3 in AWS Lake Formation is now generally available. Version 3 includes features to improve ease of use in granting cross-account permissions using Lake Formation. You can now share AWS Glue Data Catalog resources such as, databases and tables from one account directly to another account’s IAM principals, namely, IAM roles and IAM users. Version 3 eliminates the additional manual step of writing Data Catalog resource policies while using LF-tags based cross-account sharing. Finally, you can share Data Catalog resources with an AWS Organization/Org unit using LF-tags based sharing.
Previously, you were only able to share AWS Glue Data Catalog resources across AWS accounts at the root level. In this scenario, the data lake administrator for the receiving account would need to further delegate access to the shared tables to specific IAM principals. With Version 3, data owners can grant direct access to specific IAM principals in other accounts, removing the additional delegation steps.
When using LF-tags to share resources across accounts, you no longer need to keep your Data Catalog policies in sync. Instead, your receiving account data lake admin will have to accept a data sharing request once.
AWS Lake Formation cross-account sharing version 3 is available in all regions where AWS Lake Formation is available. See documentation for more details.