AWS Lake Formation - Pull Mode¶
Connector configuration modes
This document describes the configuration modes for the AWS Lake Formation connector with Privacera using the Pull mode. If you are looking for information about Push mode, then refer to AWS Lake Formation - Push mode. To understand the differences between Push Mode and Pull Mode, refer to Comparison of Push and Pull Modes.
Introduction¶
In Pull Mode, AWS LakeFormation serves as the source of truth for access control policies. These policies are periodically pulled from Lake Formation into Privacera and then enforced on various data sources as per the configuration.
This mode allows users to fetch and deploy specific resources from AWS Lake Formation into the Privacera Portal. Once deployed, users can manage access control for these resources within Privacera. For more details, refer to Pull mode.
Pulled Resources
In Pull Mode, Privacera fetches and deploys the following five resources from AWS Lake Formation:
| Resources | Description |
|---|---|
| Tags | Labels used to classify and organize Lake Formation resources. |
| Tag-Resource Mapping | Associates tags with specific resources to facilitate tag-based access control. |
| Resource-Based Policies | Permissions assigned directly to resources, specifying which users or roles have access. |
| Tag-Based Policies | Policies that grant access to resources based on assigned tags. |
| IAM Roles | AWS IAM roles linked to Lake Formation for access control. |
Note
- All Tags under the Managed
Regionin the AWS Lake Formation connector are pulled. - Other resources are pulled based on their managed properties in the AWS Lake Formation connector.
Example: Iftable1is managed in the connector, then all relatedtags,resource based policies, andtag based policiesare pulled. Otherwise, they are not.
Access Management¶
| Topic | Detail |
|---|---|
| Integration methodology | Privacera PolicySync |
| Access Tools | AWS Console, JDBC |
| Supported User Identities | AWS IAM, SAML |
Supported User Identities
All user identities are not supported in all AWS services and connections. Refer to AWS documentation for the capabilities of accessing AWS services like AWS Athena and AWS Redshift using AWS Console and JDBC.
User Identity Mapping¶
Lake Formation supported services like AWS Athena and AWS Redshift Spectrum use AWS IAM and SAML users for access control. Any permissions granted to the roles in Lake Formation are pulled to privacera connector for the corresponding/managed IAM roles.
This connector pulls the IAM roles from AWS IAM and adds them to Privacera as roles. Any policies defined in Lake Formation for these roles are pulled to Privacera connector for the corresponding IAM roles.
Lake Formation Connector flow¶
sequenceDiagram
participant PrivaceraPlatform
participant PrivaceraConnector
participant AWS IAM
participant LakeFormation
PrivaceraConnector->>AWS IAM: Pull IAM roles
AWS IAM-->>PrivaceraConnector: IAM roles added as<br> Privacera roles
PrivaceraConnector->>LakeFormation: Pull Tag/Resource Based Expression (Policies)
LakeFormation-->>PrivaceraConnector: Got Expressions
PrivaceraConnector-->>PrivaceraConnector: Convert to Privacera policies
PrivaceraConnector->>PrivaceraPlatform: Push Policies into Privacera
PrivaceraConnector->>LakeFormation: Pull Tag and Resources
LakeFormation-->>PrivaceraConnector: Got Resources and tags
PrivaceraConnector->>PrivaceraPlatform: Push Tags/Resource Mapping into Privacera Users for Roles
For the roles are created in Privacera, the users/groups for the roles need to be explicitly added to the roles.
- Prev topic: AWS Lake Formation Connector using Pull Mode
- Next topic: Prerequisites