- Newest
- Most votes
- Most comments
With IAM , you can only work till a glue table. It’s access to table or not and on a S3 object ( file), it’s access to a file or not.
For fine grain access (RBAC/ABAC) on file contents ( rows and columns ), you would need EMR +Ranger which will provide you with an option to specify policies that can help with fine grain access. Since you have not mentioned how the customer wants to read the data ( ex EMR/Athena ), you can think of serving the data via redshift which has its own fine authorization constructs.
If you really want to achieve and have some breather to have copies of table definitions ( ex TableA_clear/TableA_priv which excludes the columns etc ) , then you can play with
https://docs.aws.amazon.com/athena/latest/ug/fine-grained-access-to-glue-resources.html And grant access to tables. Ideally , you are creating table definitions by removing the columns that you don’t want to show to some users ( proactively defining the ddls rather than run time policy binding that you get from Ranger or Lakeformation ) — not recommended at all.
I would also advise any customer to start exploring Lakeformation as it brings the centralized model of specifying and managing security and access policies over lake artifacts which are modeled to be used as databases and tables . Any reason why they are not willing to use Lakeformation?
Relevant content
- asked 8 months ago
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago