SaaS

Protecting Data

In the AWS Lake Formation connection, Immuta orchestrates on data registered in the Glue Data Catalog. Then, Immuta users who have been granted access to the Glue Data Catalog table or view can query it using one of these analytic engines:

  • Amazon Athena

  • Amazon EMR Spark

  • Amazon Redshift Spectrum

The sequence diagram below outlines the events that occur when an Immuta user who is subscribed to a data source submits a query in their AWS analytic engine.

If a user is automatically subscribed to the data source by a policy, Immuta creates a Lake Formation tag for that user and data source they are subscribed to. If the user is manually added to a data source by the data owner, Immuta grants direct access to the table in Lake Formation.

See the AWS Lake Formation documentation for more details about Lake Formation access controls.

Registering a connection

AWS Lake Formation is configured and data is registered through connections, an Immuta feature that allows administrators to register data objects in a technology through a single connection to make data registration more scalable for your organization.

Once the Lake Formation connection is registered, you can author policies in Immuta to orchestrate Lake Formation access controls.

See the AWS Lake Formation reference guide for more details about registering a connection.

Protecting data

After Glue Data Catalog views and tables are registered in Immuta, you can author subscription policies in Immuta to orchestrate Lake Formation access controls. Once a subscription policy is applied, users can be subscribed to data sources in the following ways:

  • Manually subscribed: If a data owner manually adds a user to the data source, Immuta issues a grant directly to the data object in AWS.

  • Automatically subscribed through policy logic: When a policy is applied to a data source, users who meet the conditions of the policy will be . Then, Immuta generates a Lake Formation tag and applies it to the corresponding data object in AWS and grants subscribers access to that tag, which in turn grants them access to the data. See the AWS Lake Formation reference guide for details about this process.

Consider the following example that illustrates how Immuta enforces a subscription policy that only allows users in the analysts group to access to yellow-table. When this policy is authored and applied to the data source, Immuta generates a Lake Formation (LF) tag that is applied to the Glue Data Catalog yellow-table and permissions on that tag are granted to all AWS users (registered in Immuta) that are part of the analysts group.

In the image above, the user in the analysts group accesses yellow-table , while the user who is a part of the research group is denied access.

See the Author a subscription policy page for guidance on applying a subscription policy to a data source. See the Subscription policy access types page details about the subscription policy types supported and permissions Immuta grants on securables registered as Immuta data sources.

PreviousSecurity and ComplianceNextAccessing Data

Last updated

Was this helpful?