Skip to content

AWS Lake Formation - Pull Mode

Connector configuration modes

This document describes the configuration modes for the AWS Lake Formation connector with Privacera using the Pull mode. If you are looking for information about Push mode, then refer to AWS Lake Formation - Push mode. To understand the differences between Push Mode and Pull Mode, refer to Comparison of Push and Pull Modes.

Introduction

In Pull Mode, AWS LakeFormation serves as the source of truth for access control policies. These policies are periodically pulled from Lake Formation into Privacera and then enforced on various data sources as per the configuration.

This mode allows users to fetch and deploy specific resources from AWS Lake Formation into the Privacera Portal. Once deployed, users can manage access control for these resources within Privacera. For more details, refer to Pull mode.

Pulled Resources

In Pull Mode, Privacera fetches and deploys the following five resources from AWS Lake Formation:

Resources Description
Tags Labels used to classify and organize Lake Formation resources.
Tag-Resource Mapping Associates tags with specific resources to facilitate tag-based access control.
Resource-Based Policies Permissions assigned directly to resources, specifying which users or roles have access.
Tag-Based Policies Policies that grant access to resources based on assigned tags.
IAM Roles AWS IAM roles linked to Lake Formation for access control.

Note

  • All Tags under the Managed Region in the AWS Lake Formation connector are pulled.
  • Other resources are pulled based on their managed properties in the AWS Lake Formation connector.
    Example: If table1 is managed in the connector, then all related tags, resource based policies, and tag based policies are pulled. Otherwise, they are not.

Access Management

Topic Detail
Integration methodology Privacera PolicySync
Access Tools AWS Console, JDBC
Supported User Identities AWS IAM, SAML

Supported User Identities

All user identities are not supported in all AWS services and connections. Refer to AWS documentation for the capabilities of accessing AWS services like AWS Athena and AWS Redshift using AWS Console and JDBC.

User Identity Mapping

Lake Formation supported services like AWS Athena and AWS Redshift Spectrum use AWS IAM and SAML users for access control. Any permissions granted to the roles in Lake Formation are pulled to privacera connector for the corresponding/managed IAM roles.

This connector pulls the IAM roles from AWS IAM and adds them to Privacera as roles. Any policies defined in Lake Formation for these roles are pulled to Privacera connector for the corresponding IAM roles.

Lake Formation Connector flow
sequenceDiagram
    participant PrivaceraPlatform
    participant PrivaceraConnector
    participant AWS IAM
    participant LakeFormation

    PrivaceraConnector->>AWS IAM: Pull IAM roles
    AWS IAM-->>PrivaceraConnector: IAM roles added as<br> Privacera roles

    PrivaceraConnector->>LakeFormation: Pull Tag/Resource Based Expression (Policies)
    LakeFormation-->>PrivaceraConnector: Got Expressions 
    PrivaceraConnector-->>PrivaceraConnector: Convert to Privacera policies 
    PrivaceraConnector->>PrivaceraPlatform: Push Policies into Privacera 

    PrivaceraConnector->>LakeFormation: Pull Tag and Resources
    LakeFormation-->>PrivaceraConnector: Got Resources and tags  
    PrivaceraConnector->>PrivaceraPlatform: Push Tags/Resource Mapping into Privacera 

Users for Roles

For the roles are created in Privacera, the users/groups for the roles need to be explicitly added to the roles.

Comments