Skip to main content

Privacera Documentation

Connect AWS Lake Formation application on PrivaceraCloud

icon-aws-lake-formation.png

This topic describes how to connect the AWS Lake Formation application with PrivaceraCloud. There are two ways to connect to the AWS Lake Formation application: push mode and pull mode.

Prerequisites
  • The AWS Account ID.

  • IAM Role, see Create IAM Role for AWS Lake Formation connector for steps.

  • In AWS, ensure you have databases and tables in AWS Glue managed by the AWS Lake Formation.

  • To sync permissions for IAM Users/Groups, then these users/groups should be present in Privacera Portal. Ideally, these are synchronized from AD/LDAP or Okta into Privacera Portal, but can also be added manually in Privacera Portal. If the users/groups are not in Privacera Portal, then these permissions will not be synchronized.

    Note

    The AWS Lake Formation connector will automatically sync the IAM Roles as Apache Ranger Roles into Privacera Portal.

Procedure
  1. In PrivaceraCloud, go to Settings -> Applications.

  2. On the Applications screen, select Lakeformation Push Mode.

  3. Enter the application Name and Description,. Click Save.

  4. Open the AWS Lake Formation application.

  5. Enable the Access Management option with toggle button.

  6. Under the BASIC tab, enter the values for:

    • AWS Account ID: 12345XXX

    • AWS Assume IAM Role ARN: see example below

      This is the ARN for IAM role created in Create IAM Role for Lake Formation,

      Through this IAM role, PrivaceraCloud pulls the access control policies from Lake Formation.

      For example: arn:aws:iam::123456789XXX:role/PrivaceraLake FormationAccessRole

    • AWS Region: us-east-1

  7. Click SAVE.

    For other property details and description, see AWS Lake Formation Connector Properties.

  8. The configured AWS Lake Formation connector appears under Applications.

    LakeformationCloud2.png
  9. Once saved and enabled, the AWS Lake Formation connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

  10. Perform following steps to restart the AWS Lake formation connector application:

    1. Go to SettingsApplications → select theLake formation connector application .

    2. Edit the application → Disable it → and Save it.

    3. Open the same application again and then: Enable it → and Save it.

The following points are to be considered when synchronizing policies in Ranger for the AWS Lake Formation:

Synchronizing Ranger Column Exclude Policies to the AWS Lake Formation Column Exclude Policies

When the ranger policies with exclude columns synchronized into the AWS Lake formation, it converts it into permissions with include column policies.

For example:

Consider a table with the columns country, id, region, sales_amount, city, and name. Ranger policy with SELECT permission on columns excluding city and name columns is converted into the AWS Lake formation policy with SELECT permission on columns including country, id, region, and sales_amount.

Visible table columns before Privacera policy:

ID

Country

Region

Sales_Amount

City

Name

Selectable columns after conversion of Privacera policy into the AWS Lake Formation policy:

ID

Country

Region

Sales_Amount

Synchronizing Ranger Tag Policies to the AWS Lake Formation Tag Policies

For the tag policy created in Ranger, it internally fetches the resource attached to that tag and applies the permissions on the actual resource in the AWS Lake Formation.

For example:

You have attached the PII tag to a table resource called sales_data, and then you created a tag based policy with SELECT permission for user emily on the PII tag. This internally gets the resource (i.e., table resource sales_data) attached to the PII tag and applies SELECT permission to user emily on the actual table sales_data in the AWS Lake Formation.

Multiple Row Filter Policy Items Enforcement Behavior difference in AWS Lake Formation

When you add a row filter policy in Ranger with a row filter condition, then it creates a data filter with the same row filter condition inside the AWS Lake Formation. If you add multiple row filter items with different row filter conditions inside the row filter policy in Ranger, it creates those many data filters inside the lake formation and applies permissions on top of that.

For example:

If you create a Row-Level Filter policy on the sales_data table with two row filter items as below:

  • SELECT permission with row filter condition country='US' to user emily

  • SELECT permission with row filter condition id=4 to user emily

When the AWS Lake Formation engine enforces these permissions, when the user emily queries the sales_data table from Athena, it gets the result that is the intersection of both data filters. That is, it only gets one row with id=4 and country='US' in the result.

select * from sales_data;

4,'US','Mountain','Palmertown','Sarah','50771.9'

No Access control on IAM Groups

AWS Lake Formation does not support IAM groups, but it does support AD groups, and you can add policies to AD groups.

When granting access to IAM Role, it assumes the IAM role is present on the AWS console

When you create a policy for a role in Ranger, you assume that the IAM role is present on the AWS console with the same name as the role name in Ranger and just try to assign permissions to that role. It doesn’t create any role if it's not present in the AWS Lake Formation.

Prerequisites
  • The AWS Account ID.

  • IAM Role, see Create IAM Role for AWS Lake Formation connector for steps.

  • In AWS, ensure that you have databases and tables in AWS Glue managed by the AWS Lake Formation.

  • To sync permissions for IAM Users/Groups, then these users/groups should be present in Privacera Portal. Ideally, these are synchronized from AD/LDAP or Okta into Privacera Portal, but can also be added manually in Privacera Portal. If the users/groups are not in Privacera Portal, then these permissions will not be synchronized.

    Note

    The AWS Lake Formation connector will automatically sync the IAM Roles as Apache Ranger Roles into Privacera Portal.

Procedure
  1. In PrivaceraCloud, go to Settings -> Applications.

  2. On the Applications screen, select Lakeformation Pull Mode.

  3. Enter the application Name and Description, and then click Save.

  4. Enable the Access Management option with toggle button.

  5. Under the BASIC tab, enter the values for:

    • AWS Account ID: 12345XXX

    • AWS Assume IAM Role ARN: see example below

      This is the ARN for IAM role created in this step Create IAM Role for Lake Formation through which PrivaceraCloud pulls the access control policies from AWS Lake Formation.

      For example: arn:aws:iam::123456789XXX:role/PrivaceraLakeformationAccessRole

    • AWS Region: us-east-01

  6. Click SAVE.

    For other property details and description, see AWS Lake Formation Connector Properties.

  7. The configured AWS Lake Formation connector appears under Applications.

    LakeformationCloud2.png
  8. Once saved and enabled, the AWS Lake Formation connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

  9. Restart the Lake Formation connector application with the following steps:

    1. Go to SettingsApplications → select theLake Formation connector application .

    2. Edit the application → Disable it → and Save it.

    3. Open the same application again and then: Enable it → and Save it.