AWS Lake Formation applies its own permission model when you access data in Amazon S3 and metadata in AWS Glue Data Catalog through use of Amazon EMR, Amazon Athena and so on. If you currently use Lake Formation and instead would like to use only IAM Access controls, this tool enables you to achieve it.
You can just run this python script with Lake Formation admin permission. If you run the script without Lake Formation admin permission, you will see ‘Access Denied’ exception.
It will perform following actions.
- Modify data lake settings to use only IAM access controls
- De-register all the data lake locations
- Grant CREATE_DATABASE to IAM_ALLOWED_PRINCIPALS for catalog
- Grant ALL to IAM_ALLOWED_PRINCIPALS for existing databases and tables
- Revoke all the permissions except IAM_ALLOWED_PRINCIPALS