Skip to main content

Privacera Documentation

Create IAM Role for AWS Lake Formation connector for Platform

This IAM Role creation is needed for PrivaceraCloud to pull the access control policies from AWS Lake Formation into Privacera so that these policies can be enforced on various data sources.

Basically, this IAM role will have some set of permissions to read resources from AWS Glue and read access control policies on those resources from AWS Lake Formation.

When this role is created, it needs to be attached to PrivaceraCloud so that it will assume this role and get access to pull the access control policies from AWS Lake Formation into Privacera.

Create IAM policy

  1. Log in to the AWS Account.

  2. Navigate to IAMPoliciesCreate policy.

  3. Select JSON and copy the following configuration in the text box:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "GlueReadPermissions",
                "Effect": "Allow",
                "Action": [
                    "glue:GetTables",
                    "glue:GetTableVersions",
                    "glue:GetDatabases",
                    "glue:GetTable",
                    "glue:GetDatabase",
                    "glue:GetTableVersion",
                    "glue:GetColumnStatisticsForTable"
                ],
                "Resource": "*"
            },
            {
                "Sid": "LFReadPermissions",
                "Effect": "Allow",
                "Action": [
                    "lakeformation:ListDataCellsFilter",
                    "lakeformation:GetEffectivePermissionsForPath",
                    "lakeformation:ListLFTags",
                    "lakeformation:GetLFTag",
                    "lakeformation:ListPermissions",
                    "lakeformation:GetResourceLFTags",
                    "lakeformation:DescribeResource",
                    "lakeformation:ListResources",
                    "lakeformation:GetTableObjects"
                ],
                "Resource": "*"
            },
            {
                "Sid": "IAMRolesReadPermissions",
                "Effect": "Allow",
                "Action": [
                    "iam:ListRoles"
                ],
                "Resource": "*"
            }
        ]
    }
  4. Click Next: Tags;

  5. Add any tags, then click Next: Review.

  6. Add the policy name as privacera-lf-access-policy.

  7. Click Create policy.

Create IAM Policy to Perform Grant/Revokes (Only for Push mode)

Note

This setup is only needed if you want to sync policies from Privacera Ranger to AWS Lake Formation.

  1. Login to AWS Account and navigate to IAMPoliciesCreate policy.

  2. Click JSON and paste following JSON content in the text box, and then click Next: Tags.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "LFWritePermission",
                "Effect": "Allow",
                "Action": [
                    "lakeformation:BatchGrantPermissions",
                    "lakeformation:GrantPermissions",
                    "lakeformation:DeleteDataCellsFilter",
                    "lakeformation:RevokePermissions",
                    "lakeformation:CreateDataCellsFilter",
                    "lakeformation:BatchRevokePermissions"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Add any tags if you need, and then click Next: Review.

  4. Add the policy name like privacera-lf-write-access-policy, and then click Create policy.

Create and attach IAM Role for Platform

  1. Log in to AWS Account.

  2. Navigate to IAM → Roles → Create role.

  3. In Select trusted entity:

    • Trusted entity type select AWS Service

    • Common use cases select use case as EC2

  4. Click Next.

  5. Add permissions: In Permission policies, search for the policy privacera-lf-access-policy and select the policy checkbox. Click Next.

  6. For the Role name add name as PrivaceraLakeformationAccessRole and click Create role.

  7. For Docker based installation: (Kubernates installation instructions currently not available)

    1. Navigate to EC2 → Instances.

    2. Search for your EC2 Instance and select the checkbox next to it.

    3. From the right corner, click Actions → Security → Modify IAM role and select the IAM Role previously created PrivaceraLakeformationAccessRole. Then click Update IAM role.

Configure AWS Lake Formation administrator

  1. Login to AWS Account and navigate to AWS Lake Formation PermissionsAdministrative roles and tasks.

  2. Click Choose administrators and for the IAM users and roles select the previously created role PrivaceraLakeformationAccessRole .

  3. Click Save.