Skip to content

Manage Access Audits

The AWS Lake Formation connector provides access auditing capabilities to help organizations track user activity, ensure compliance, and enhance security monitoring. This feature enables you to collect and analyze audit logs from AWS CloudTrail to monitor access to Lake Formation resources.

Prerequisites

Important

Before performing the following steps; you must have an Amazon S3 bucket for storing the audit logs.

Steps to Enable Audit Logs

Step 1: Create Trail in AWS CloudTrail

  1. Go to AWS CloudTrail serviceDashboard.

  2. Click Create Trail.

  3. On the General Details page, provide the Trail name (such as LF_Cloud_Trail) of your choice.

  4. Provide the S3 storage location of your S3 bucket.

    Make note of the S3 bucket location

    Make note of the S3 bucket location for CloudTrail logs. For example, lf-dev-bucket/AWSLogs/123456789012.

  5. Uncheck the Log file SSE-KMS encryption and Log file validation checkboxes.

  6. Click Next.

  7. On the page that appears, under Choose Log Events enable the checkbox for Management Events. Keep the checkboxes for Read and Write as checked.

  8. Enable the checkbox for Data Events. Then scroll down to Data Events section, select the Data Event type as AWS Lake Formation and Log Selector template as Log All Events.

  9. Click Next.

  10. Confirm the values and click Create Trail.

Step 2: Create Database and Table for Storing Audit Logs Query Results

Use AWS Athena to create a database and table for storing audit logs query results.

2.1 Create Database

SQL
1
CREATE DATABASE lf_audit_db;

2.2 Create Table

Replace the LOCATION path

In the following query, replace the LOCATION with your actual Amazon S3 bucket location of the CloudTrail logs.

SQL
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
CREATE EXTERNAL TABLE lf_audit_db.cloudtrail_logs (
    eventVersion STRING,
    userIdentity STRUCT<
        type: STRING,
        principalId: STRING,
        arn: STRING,
        accountId: STRING,
        invokedBy: STRING,
        accessKeyId: STRING,
        userName: STRING,
        sessionContext: STRUCT<
            attributes: STRUCT<
                mfaAuthenticated: STRING,
                creationDate: STRING>,
            sessionIssuer: STRUCT<
                type: STRING,
                principalId: STRING,
                arn: STRING,
                accountId: STRING,
                userName: STRING>>>
    >,
    eventTime STRING,
    eventSource STRING,
    eventName STRING,
    awsRegion STRING,
    sourceIpAddress STRING,
    userAgent STRING,
    errorCode STRING,
    errorMessage STRING,
    requestParameters STRING,
    responseElements STRING,
    additionalEventData STRING,
    requestId STRING,
    eventId STRING,
    resources ARRAY<STRUCT<
        arn: STRING,
        accountId: STRING,
        type: STRING>>,
    eventType STRING,
    apiVersion STRING,
    readOnly STRING,
    recipientAccountId STRING,
    serviceEventDetails STRING,
    sharedEventID STRING,
    vpcEndpointId STRING
)
COMMENT 'CloudTrail table for lakeformation audit logs'
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://<S3_LAKE_FORMATION_AUDITS_BUCKET>/AWSLogs/<OBJECT_PATH>'
TBLPROPERTIES ('classification'='cloudtrail');

Step 3: Configure IAM Policy for Reading Access Audits

IAM Policy Required

Before enabling access audits, ensure that the IAM policy for reading access audits (privacera-lf-audit-read-access-policy) is created and attached to your connector's IAM role.

For detailed instructions on creating and configuring this IAM policy, refer to the IAM Policy for Reading Access Audits section in the Prerequisites documentation:

After creating the policy, attach it to the IAM role that was created during the configuration of the connector.

Configuration Properties

The following table describes all configuration properties for managing access audits in the Lake Formation connector:

Property Name Mandatory Description Default Value Example Value
CONNECTOR_LAKEFORMATION_AUDIT_ENABLE Yes Enables audit logs for the Lake Formation connector. Set to "true" to enable audit logs. "false" "true"
CONNECTOR_LAKEFORMATION_AUDIT_DB_NAME Yes Specifies AWS audit database name that stores AWS audit logs. - "lf_audit_db"
CONNECTOR_LAKEFORMATION_AUDIT_TABLE_NAME Yes Specifies AWS audit table name that stores AWS audit logs. This table should reference CloudTrail logs. - "cloudtrail_logs"
CONNECTOR_LAKEFORMATION_AUDIT_ATHENA_S3_OUTPUT_LOCATION Yes Specifies S3 location to store the access audit logs query results. Format: s3://<bucket-name>/path/. - "s3://athena-results-bucket/query-results/"
CONNECTOR_LAKEFORMATION_AWS_ATHENA_REGION No The AWS region where Athena is located. - "us-east-1"
CONNECTOR_LAKEFORMATION_AWS_ATHENA_ENDPOINT No Custom Athena endpoint URL. "" "athena.us-east-1.amazonaws.com:443"
CONNECTOR_LAKEFORMATION_AWS_ATHENA_WORKGROUP No The Athena workgroup to use for queries. "" "primary"
CONNECTOR_LAKEFORMATION_AUDIT_SYNC_INTERVAL No Specifies the interval in seconds between audit sync operations. "120" "300"
CONNECTOR_LAKEFORMATION_AUDIT_DELAY_SEC No Delay in seconds before processing audit logs. AWS takes time to write CloudTrail logs to S3, so this delay ensures audits are fully written before processing to avoid audit loss. Default is 600 seconds (10 minutes). If audits are missing, increase to 900 or 1200 seconds.
Example: With delay of 600 seconds and sync interval of 120 seconds, audits appear in the connector after 12 minutes.		 "600" "600"
CONNECTOR_LAKEFORMATION_AUDIT_EXCLUDED_USERS No Comma-separated list of users to exclude from the audits. Leave empty to include all users. "" "user1@example.com, user2@example.com"
CONNECTOR_LAKEFORMATION_AUDIT_EXCLUDED_ACCESS_TYPES No Comma-separated list of access types to exclude from the audits. Leave empty to include all access types. "" "GetQueryExecution, GetDatabases"
CONNECTOR_LAKEFORMATION_AUDIT_INCLUDED_SERVICES No Comma-separated list of AWS services to include in the audits. Only audit logs from these services will be displayed. "athena.amazonaws.com, lakeformation.amazonaws.com" "athena.amazonaws.com, glue.amazonaws.com, lakeformation.amazonaws.com"
CONNECTOR_LAKEFORMATION_AUDIT_PROGRESS_REPORT_TRACKER_ENABLE No Enable progress tracking for audit operations. "false" "false"
CONNECTOR_LAKEFORMATION_AUDIT_PROGRESS_COMPLETE_REPORT_ENABLE No Enable completion reports for audit operations. "false" "false"
CONNECTOR_LAKEFORMATION_AUDIT_PROGRESS_COMPLETE_REPORT_INTERVAL_SEC No Interval in seconds for generating completion reports. Only applicable if progress reporting is enabled. "1800" "1800"

Setup

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    File name depends on connector mode

    If you have multiple connectors, replace instance1 with the appropriate connector instance name.

    • For push mode

      Bash
      1
      vi ~/privacera/privacera-manager/config/custom-vars/connectors/lakeformation/instance1/vars.connector.lakeformation.push.yml

    • For pull mode

      Bash
      1
      vi ~/privacera/privacera-manager/config/custom-vars/connectors/lakeformation/instance1/vars.connector.lakeformation.pull.yml

  3. Update or add the following properties:

    Example configuration (adjust the values for your environment):

    YAML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
    # Enable access audits
CONNECTOR_LAKEFORMATION_AUDIT_ENABLE: "true"

# Mandatory configuration
CONNECTOR_LAKEFORMATION_AUDIT_DB_NAME: "lf_audit_db"
CONNECTOR_LAKEFORMATION_AUDIT_TABLE_NAME: "cloudtrail_logs"
CONNECTOR_LAKEFORMATION_AUDIT_ATHENA_S3_OUTPUT_LOCATION: "s3://athena-results-bucket/query-results/"

# Optional Athena configuration
CONNECTOR_LAKEFORMATION_AWS_ATHENA_REGION: "us-east-1"
CONNECTOR_LAKEFORMATION_AWS_ATHENA_ENDPOINT: "athena.us-east-1.amazonaws.com:443"
CONNECTOR_LAKEFORMATION_AWS_ATHENA_WORKGROUP: "primary"

# Audit sync interval
CONNECTOR_LAKEFORMATION_AUDIT_SYNC_INTERVAL: "300"

# Audit delay
CONNECTOR_LAKEFORMATION_AUDIT_DELAY_SEC: "600"

# Audit filtering configuration
CONNECTOR_LAKEFORMATION_AUDIT_EXCLUDED_USERS: "user1@example.com,user2@example.com"
CONNECTOR_LAKEFORMATION_AUDIT_EXCLUDED_ACCESS_TYPES: "GetQueryExecution"
CONNECTOR_LAKEFORMATION_AUDIT_INCLUDED_SERVICES: "athena.amazonaws.com, lakeformation.amazonaws.com"

# Optional audit progress reporting
CONNECTOR_LAKEFORMATION_AUDIT_PROGRESS_REPORT_TRACKER_ENABLE: "true"
CONNECTOR_LAKEFORMATION_AUDIT_PROGRESS_COMPLETE_REPORT_ENABLE: "true"
CONNECTOR_LAKEFORMATION_AUDIT_PROGRESS_COMPLETE_REPORT_INTERVAL_SEC: "180"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:
    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to SettingsApplications.

  2. On the Connected Applications screen, select AWS Lake Formation.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management.

  5. Under BASIC tab:

    • Enable Enable access audits with the toggle button.
    • Enter the following required values:
      • Lake formation audit logs database: Enter the AWS audit database name (e.g., lf_audit_db).
      • Lake Formation audit logs table name: Enter the AWS audit table name (e.g., cloudtrail_logs).
      • S3 output location for access audit logs query results: Enter the S3 location for Athena query results (e.g., s3://athena-results-bucket/query-results/).

  6. Under ADVANCED tab:

    • Users to exclude when fetching access audits: Enter comma-separated list of users to exclude (optional). Leave empty to include all users.

  7. Under Add New Custom Properties, you can add the following optional properties:

    Example configuration (adjust the values for your environment):

    Bash
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    ranger.policysync.connector.0.aws.athena.region=us-east-1
ranger.policysync.connector.0.aws.athena.endpoint=athena.us-east-1.amazonaws.com:443
ranger.policysync.connector.0.aws.athena.workgroup=primary
ranger.policysync.connector.0.audit.interval.sec=300
ranger.policysync.connector.0.audit.delay.sec=600
ranger.policysync.connector.0.audit.excluded.access.types=GetQueryExecution
ranger.policysync.connector.0.audit.included.services=athena.amazonaws.com, lakeformation.amazonaws.com
ranger.policysync.connector.0.audit.progress.report.tracker.enable=true
ranger.policysync.connector.0.audit.progress.complete.report.enable=true
ranger.policysync.connector.0.audit.progress.complete.report.interval.sec=180

  8. Click SAVE to apply the changes.

Limitations

Omitted Query Strings in Lake Formation Access Audits

Access audit logs generated by Lake Formation cannot retrieve SQL queries executed by users. AWS has replaced actual query strings with ***OMITTED*** in these log files. Thus, Privacera displays ***OMITTED*** query strings in its UI as part of access audits.

For more information, see Understanding Athena log file entries in the AWS documentation.