Skip to main content

Privacera Documentation

Create IAM Role for AWS Lake Formation connector

This IAM Role creation is needed for PrivaceraCloud to pull the access control policies from the AWS Lake Formation into Privacera.

Basically, this IAM role will have some set of permissions to read resources from AWS Glue and read access control policies on those resources from AWS Lake Formation.

When this role is created, it needs to be attached to PrivaceraCloud so that it will assume this role and get access to pull the access control policies from the AWS Lake Formation into Privacera.

Create IAM policy

  1. Log in to the AWS Account.

  2. Navigate to IAMPoliciesCreate policy.

  3. Select JSON and paste following content in the text box:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "GlueReadPermissions",
                "Effect": "Allow",
                "Action": [
                    "glue:GetTables",
                    "glue:GetTableVersions",
                    "glue:GetDatabases",
                    "glue:GetTable",
                    "glue:GetDatabase",
                    "glue:GetTableVersion",
                    "glue:GetColumnStatisticsForTable"
                ],
                "Resource": "*"
            },
            {
                "Sid": "LFReadPermissions",
                "Effect": "Allow",
                "Action": [
                    "lakeformation:ListDataCellsFilter",
                    "lakeformation:GetEffectivePermissionsForPath",
                    "lakeformation:ListLFTags",
                    "lakeformation:GetLFTag",
                    "lakeformation:ListPermissions",
                    "lakeformation:GetResourceLFTags",
                    "lakeformation:DescribeResource",
                    "lakeformation:ListResources",
                    "lakeformation:GetTableObjects"
                ],
                "Resource": "*"
            },
            {
                "Sid": "IAMRolesReadPermissions",
                "Effect": "Allow",
                "Action": [
                    "iam:ListRoles"
                ],
                "Resource": "*"
            }
        ]
    }
  4. Click Next: Tags;

  5. Add any tags, then click Next: Review.

  6. Add the policy name such as, privacera-lf-access-policy.

  7. Click Create policy.

Create IAM Policy to Perform Grant/Revokes (Only for Push mode)

Note

This setup is only needed if you want to sync policies from Privacera to AWS Lake Formation.

  1. Log in to AWS Account and navigate to IAMPoliciesCreate policy.

  2. Click JSON and paste following JSON content in the text box, and click Next: Tags.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "LFWritePermissions",
                "Effect": "Allow",
                "Action": [
                    "lakeformation:BatchGrantPermissions",
                    "lakeformation:GrantPermissions",
                    "lakeformation:DeleteDataCellsFilter",
                    "lakeformation:RevokePermissions",
                    "lakeformation:CreateDataCellsFilter",
                    "lakeformation:BatchRevokePermissions"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Add any tags if you need, and click Next: Review.

  4. Add the policy name such as, privacera-lf-write-access-policy, and then click Create policy.

Create and attach IAM Role for PrivaceraCloud

  1. Log in to AWS Account.

  2. Navigate to IAM → Roles → Create role.

  3. Under Select trusted entity

    1. Select trusted entity type as Custom trust policy.

    2. Add following JSON content into the box:

      Note

      Contact Privacera to get the value for <ROLE_ARN>.

      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Sid": "Statement1",
      			"Effect": "Allow",
      			"Principal": {
      				"AWS": [
      					"<ROLE_ARN>"
      				]
      			},
      			"Action": "sts:AssumeRole"
      		}
      	]
      }
    3. Under Add permission, in Permission policies search for the policy previously created privacera-lf-access-policy. Select that policy checkbox and click Next.

    4. For the Role name add name as PrivaceraLakeformationAccessRole then click Create role.

    5. Navigate to IAM → Roles , search for the role previously created PrivaceraLakeformationAccessRole . Copy the ARN of the role, this will be needed when configuring the connector in PrivaceraCloud account.

Configure AWS Lake Formation administrator

  1. Log in to AWS Account and navigate to AWS Lake Formation PermissionsAdministrative roles and tasks.

  2. Click Choose administrators and for the IAM users and roles select the previously created role PrivaceraLakeformationAccessRole .

  3. Click Save.