Privacera Connector for AWS Lake Formation¶
AWS Lake Formation is a fully managed service that simplifies the construction, security, and management of data lakes. It provides a permissions model that builds upon the IAM permissions model, enabling fine-grained access to data stored within data lakes through a straightforward grant-and-revoke mechanism, similar to that of a relational database management system (RDBMS). AWS Lake Formation enforces permissions with granular controls at the column, row, and cell levels across various AWS services, including Amazon Athena, Amazon EMR, and Amazon Redshift Spectrum.
Synchronization of Policies to Other Data Sources¶
Policies are defined in Privacera and pushed to AWS Lake Formation. Because the same databases and tables in AWS Glue Catalog may also be accessed by other services, Privacera can optionally replicate those policies to additional data sources such as Databricks and Trino, ensuring consistent enforcement across all consumers of the same Glue Catalog.
Not all policy features are supported uniformly across data sources. For example, AWS Lake Formation does not support dynamic column masking, so masking policies defined in Privacera cannot be enforced through Lake Formation and are not replicated to data sources that access data via Lake Formation APIs. Privacera remains the single source of truth for all policies, and only the subset compatible with each target data source is applied.
Supported Products¶
| Product | Supported |
|---|---|
| Yes | |
| No | |
| No |
- Since AWS Lake Formation only manages access control policies, Privacera Discovery is not applicable for this connector.
- Since AWS Lake Formation doesn't support dynamic column masking, Privacera Encryption is not applicable for this connector.
Connector configuration¶
The AWS Lake Formation connector uses push mode. Privacera is the source of truth for access control policies. Policies are defined in Privacera and pushed to AWS Lake Formation, where they are enforced across supported services, including Amazon Redshift Spectrum, Amazon EMR, and Amazon Athena.

As illustrated in the image above, policies are stored and managed by Privacera. For databases with metadata stored in Amazon S3 through the AWS Glue Catalog, Privacera pushes the policies to AWS Lake Formation using Lake Formation APIs. AWS Lake Formation then enforces these policies natively. For the remaining data sources, Privacera uses its connector architecture to enforce the policies.
Since the same databases and tables defined in AWS Glue could be used by other third-party tools, such as Databricks and Trino, the same policies can also be optionally enforced by these tools when push-to-Ranger replication is enabled.
Note
Masking capabilities are not available through Lake Formation APIs; tag-based and resource-based masking are not supported in Lake Formation.