Skip to main content

Privacera Documentation

How to validate a AWS Lake Formation connector

Perform following steps to confirm the validity of your AWS Lake Formation connector configuration:

  • In PrivaceraCloud portal, go to Access Management → Audit → Plugin. There you should see your service name: privacera_lakeformation (or the service name you have chosen). If you don’t see the connector plugin listed, then part of the configuration is incorrect, try rechecking your configuration.

  • Click on the Policy Sync tab to see connector audit logs for this connector, this means your connector is functional. This shows policies/permissions in AWS Lake Formation. If there are no logs for this connector then most likely your IAM role is incorrect or the cross-account trust was not configured properly.

  • The Privacera AWS Lake Formation connector will automatically pull the IAM Roles and add them to Apache Ranger. You can check this by going to Access Management → Users/Groups/Roles → Roles. If you don’t see any IAM Roles in Apache Ranger, then most likely your IAM role is incorrect or the cross-account trust was not configured properly.

  • If you already have policies in AWS Lake Formation, then they will have synced in Privacera. Verify at Access Management → Resource Policies → privacera_lakeformation (or the name of your repo). In the ACCESS tab, you should see your policies. Here you can see the label for policies fetched from AWS Lake Formation will be marked as Connector: LakeFormation. Also, you will see only the “Preview” option for the policy because by default these are read-only policies, not able to be edited or deleted from Privacera. This option can be changed by turning off the read-only flag in the AWS Lake Formation connector configuration, but note this not recommended as the Policy creator should be only AWS Lake Formation.

    • If you click on the “Preview” button of a policy, it will show details for the resource. Such as the user/group/role and the permission associated with it.

  • You can also check the ROW LEVEL FILTER tab for “Data filter” policies.

    • Click Preview to see the row filter condition which is loaded for AWS Lake Formation “Data Filter”.

    • For each AWS Lake Formation “Data filter” permission, it will create two policies.

      1. One policy in ROW LEVEL FILTER for specifying for which user and which resource has what type of access, and the filter condition.

      2. One in Access Policy for specifying the column level access. This shows what the user has access to and which columns of the table have SELECT access. Some columns can be excluded while providing access to other columns.

  • Access Management → Tag Policies → privacera_tag (or the name of your tag policy repo). This shows your tag-based policies created in Privacera by reading from the AWS Lake Formation.

    • Click Preview to display the detail tag name, tag attributes, and policies attached to those tags.

  • You can also check the AWS Lake Formation Data location policies by going to Access Management → Resource Policies → privacera_lakeformation (or the name of your repo). In the ACCESS tab, you should see your policies prefixed with data_location and labeled with connector: Lakeformation.

    • Click Preview to see the data location and the policy granted for which users/group/roles.