# Protecting Data

In the AWS Lake Formation integration, Immuta orchestrates [Lake Formation access controls](#user-content-fn-1)[^1] on data registered in the Glue Data Catalog. Then, Immuta users who have been granted access to the Glue Data Catalog table or view can query it using one of these analytic engines:

* Amazon Athena
* Amazon EMR Spark
* Amazon Redshift Spectrum

The sequence diagram below outlines the events that occur when an Immuta user who is subscribed to a data source submits a query in their AWS analytic engine.

<figure><img src="/files/K7RaKkUra0RDpZGA9ab7" alt="When users submit a query against a data source they are subscribed to, the analytic engine requests metadata from Glue Data Catalog, which then queries Lake Formation to determine what data the user is allowed to see. Then, the analytic engine requests temporary access from Lake Formation, retrieves the data from S3, and filters the data to return policy-enforced data to the user."><figcaption><p>If a user is automatically subscribed to the data source by a policy, Immuta creates a Lake Formation tag for that user and data source they are subscribed to. If the user is manually added to a data source by the data owner, Immuta grants direct access to the table in Lake Formation.</p></figcaption></figure>

See the [AWS Lake Formation documentation](https://docs.aws.amazon.com/lake-formation/latest/dg/what-is-lake-formation.html) for more details about Lake Formation access controls.

## Registering a connection

AWS Lake Formation is configured and data is registered through [connections](/SaaS/configuration/integrations/data-and-integrations/registering-a-connection/reference-guides/connections-overview.md), an Immuta feature that allows administrators to register data objects in a technology through a single connection to make data registration more scalable for your organization.

Once the Lake Formation connection is registered, you can author policies in Immuta to orchestrate Lake Formation access controls.

See the [AWS Lake Formation reference guide](/SaaS/configuration/integrations/aws-lake-formation/reference-guides/aws-lake-formation.md#registering-a-connection) for more details about registering a connection.

## Protecting data

After Glue Data Catalog views and tables are registered in Immuta, you can author subscription policies in Immuta to orchestrate Lake Formation access controls. Once a subscription policy is applied, users can be subscribed to data sources in the following ways:

* **Manually subscribed**: If a data owner [manually adds a user to the data source](/SaaS/configuration/integrations/data-and-integrations/registering-metadata/data-source-settings/how-to-guides/manage-members.md#add-members-to-a-data-source), Immuta issues a grant directly to the data object in AWS.
* **Automatically subscribed through policy logic**: When a policy is applied to a data source, users who meet the conditions of the policy will be [automatically subscribed to the data source](#user-content-fn-2)[^2]. Then, Immuta generates a Lake Formation tag and applies it to the corresponding data object in AWS and grants subscribers access to that tag, which in turn grants them access to the data. See the [AWS Lake Formation reference guide](/SaaS/configuration/integrations/aws-lake-formation/reference-guides/aws-lake-formation.md#applying-policies) for details about this process.

Consider the following example that illustrates how Immuta enforces a subscription policy that only allows users in the `analysts` group to access the `yellow-table`. When this policy is authored and applied to the data source, Immuta generates a Lake Formation (LF) tag that is applied to the Glue Data Catalog `yellow-table` and permissions on that tag are granted to all AWS users (registered in Immuta) that are part of the `analysts` group.

<figure><img src="/files/ezARozk4XXwhcVYpAWg5" alt=""><figcaption></figcaption></figure>

In the image above, the user in the `analysts` group accesses `yellow-table`, while the user who is a part of the `research` group is denied access.

See the [Author a subscription policy page](/SaaS/govern/secure-your-data/authoring-policies-in-secure/section-contents/how-to-guides/subscription-policy-tutorial.md) for guidance on applying a subscription policy to a data source. See the [Subscription policy access types](/SaaS/govern/secure-your-data/authoring-policies-in-secure/section-contents/reference-guides/subscription-access-types.md#granting-aws-lake-formation-privileges) page for details about the subscription policy types supported and permissions Immuta grants on securables registered as Immuta data sources.

[^1]: Amazon Lake Formation is an AWS security model that allows you to govern access to Glue Data Catalog tables and views.

[^2]: If the **require manual subscription** option is selected for the policy, these users will have to manually subscribe to the data.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/SaaS/configuration/integrations/aws-lake-formation/reference-guides/protecting-data.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.