DEV Community: Soumyadeep Basu The latest articles on DEV Community by Soumyadeep Basu (@soumyadeep_basu_3101d3ac1). https://dev.to/soumyadeep_basu_3101d3ac1 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3870577%2F1faa3124-25b0-4484-b519-5d8789705689.jpg DEV Community: Soumyadeep Basu https://dev.to/soumyadeep_basu_3101d3ac1 en AWS Lake Formation: Why Your Data Lake Permissions Are Probably a Mess (And How to Fix That) Soumyadeep Basu Thu, 09 Apr 2026 21:34:51 +0000 https://dev.to/soumyadeep_basu_3101d3ac1/aws-lake-formation-why-your-data-lake-permissions-are-probably-a-mess-and-how-to-fix-that-1pl https://dev.to/soumyadeep_basu_3101d3ac1/aws-lake-formation-why-your-data-lake-permissions-are-probably-a-mess-and-how-to-fix-that-1pl <p>Week 1 of a series on AWS Lake Formation — from fundamentals to real-world implementation<br> If you've been working with AWS data infrastructure for any length of time, you've probably set up an S3-based data lake. You created some buckets, wrote IAM policies, maybe added some bucket policies on top — and it worked.<br> Until it didn't.<br> Maybe your team grew. Maybe you added a second AWS account. Maybe someone asked "who exactly has access to this data?" and you spent two hours trying to piece together an answer from a maze of IAM policies.<br> That's the moment AWS Lake Formation starts making sense.</p> <p><strong>What Lake Formation Actually Is</strong><br> Lake Formation is not a storage service. Your data still lives in S3. Lake Formation is a permissions and governance layer that sits on top of your data lake and gives you one centralized place to define, manage, and audit who can access what.<br> Think of S3 + IAM as the raw infrastructure. Lake Formation is the control plane on top of it.<br> With Lake Formation you can grant permissions at the:</p> <p><strong>1. Database level</strong><br> — this team can see this entire database</p> <p><strong>2. Table level</strong><br> — this role can query this specific table</p> <p><strong>3. Column level</strong><br> — this user can see everything except these sensitive columns</p> <p><strong>4. Row level</strong><br> — this team can only see rows where region = 'US'<br> That kind of granularity with pure IAM is technically possible. In practice it becomes unmaintainable fast.</p> <p><strong>Why IAM Alone Breaks at Scale</strong><br> Let me give you a concrete scenario.<br> You have a data lake with 40 tables across 6 databases. You have 5 teams — data science, analytics, finance, marketing, and engineering. Each team needs different access to different tables, and some tables have columns that only certain roles should see.<br> With pure IAM you're writing and maintaining dozens of policies, attaching them to roles, keeping bucket policies in sync, and hoping nothing drifts. When someone gets an access denied error at 9am on a Monday, good luck tracing exactly which policy is the problem.<br> With Lake Formation, you open one console (or run one API call / Terraform resource) and say: data science role has SELECT on these 12 tables, excluding this column. Done. Auditable. Revokable in seconds.<br> The mental model shift is significant: you stop thinking about who can access S3 paths and start thinking about who can access data assets.</p> <p><strong>The Core Concepts You Need to Know</strong><br> Before you touch anything in Lake Formation, get these four concepts clear:</p> <p><strong>1. Data Catalog</strong><br> — the metadata layer. Lake Formation uses the AWS Glue Data Catalog to store database and table definitions. You register your S3 locations here and Lake Formation takes over governing access to them.</p> <p><strong>2. Data Lake Administrator</strong><br> — a special role that has full control over Lake Formation. You'll set this up first. Don't confuse it with an IAM admin — it's a separate Lake Formation concept.</p> <p><strong>3. Permissions</strong><br> — Lake Formation has its own permission model (DESCRIBE, SELECT, ALTER, DROP, etc.) that maps roughly to what you'd expect from a database. These are what you grant to IAM principals.</p> <p><strong>4. Registered Locations</strong><br> — before Lake Formation can govern an S3 path, you have to register it. This tells LF "I want you to manage access to data in this location." After that, IAM alone is no longer enough to read the data — LF permissions are required too.</p> <p><strong>What This Series Covers</strong><br> This is week one of a practical series on Lake Formation. No fluff — just the things that actually matter when you're implementing this in a real environment.<br> <strong>Here's where we're going:</strong><br> <strong>Week 2 — TBAC vs NBAC</strong>: the two permission models, when to use each, and why the choice matters more than AWS lets on<br> <strong>Week 3 — Cross-account data sharing</strong>: the gotchas, the traps, and a real bug that cost me hours<br> <strong>Week 4 — Automating Lake Formation with Terraform</strong>: what works, what doesn't, and how to structure your modules<br> If you work with AWS data infrastructure — whether you're building a data lake from scratch or trying to bring governance to an existing one — this series is for you.<br> <em><strong>I'm a Data Platform Engineer working with AWS data infrastructure daily. Follow along if you want the practical version of Lake Formation — not the tutorial, the real thing.</strong></em></p> dataengineering awsdatalake aws