Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deny Lakeformation Admin Operations #32

Open
ajarawat1992 opened this issue Apr 29, 2021 · 1 comment
Open

Deny Lakeformation Admin Operations #32

ajarawat1992 opened this issue Apr 29, 2021 · 1 comment

Comments

@ajarawat1992
Copy link

Use Case - Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.

To prevent users from adding themselves as an administrator with an extract, transform, and load (ETL) script, make sure that all non-administrator users and roles are denied access to these API operations.

AWS Lake Formation is a fully managed service that makes it easier for you to build, secure, and manage data lakes.
AWS Lake Formation Administrators can view all metadata in the AWS Glue Data Catalog. They can also grant and revoke permissions on data resources to principals, including themselves. AWS Lake Formation requires that each principal (user or role) be authorized to perform actions on Lake Formation–managed resources. A principal is granted the necessary authorizations by the data lake administrator or another principal with the permissions to grant Lake Formation permissions.
When you grant a Lake Formation permission to a principal, you can optionally grant the ability to pass that permission to another principal. A principal with IAM administrative permissions—for example, with the AdministratorAccess AWS managed policy—has permissions to grant Lake Formation permissions and create data lake administrators. To deny a user or role access to Lake Formation administrator operations in your account, attach below SCP policy.

{
"Sid": "DenyLakeFormationAdministratorOperations",
"Effect": "Deny",
"Action": [
"lakeformation:GetDataLakeSettings",
"lakeformation:PutDataLakeSettings"
],
"Resource": [
"*"
]
}

Expected Outcome - Describe the solution you'd like
A clear and concise description of what you want to happen.

User is not authorized to perform: lakeformation:PutDataLakeSettings on resource with an explicit deny.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Affected AWS resource
Mention the AWS resources which is affected
AWS Lake Formation

Impact
High: The issue makes a service level improvement which affects all users of AWS
Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service
Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way

Supported material
Can be either logs, screenshots or documentation links which provide evidence of need of this issue

I can contribute: Yes/No
If you are able to contribute towards resolving this request.

Additional context
Add any other context or screenshots about the feature request here.

Pull Request number
If a pull request has already been created.
@ajarawat1992
Copy link
Author

Below is the updated SCP:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLakeFormationAdministratorOperations",
"Effect": "Deny",
"Action": [
"lakeformation:PutDataLakeSettings"
],
"Resource": [
"*"
]
}
]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ajarawat1992