📖 Carry out tests on Lake Formation Hybrid Mode

[julialawrence]

User Story

As an AP Engineer, I would like to test out managing a datasource simultaneously using IAM and LakeFormation with both modes enforced rather than only IAM in a way that doesn't break the current permission setup.

Value / Purpose

Using hybrid mode will allow a gradual migration to Lake Formation for permissions management without outright blocking the current setup. This will make the migration process less painful for users and operators.

Useful Contacts

@julialawrence

User Types

Data Engineers, AP Engneers

Hypothesis

If we are able to successfully test and document use of hybrid mode, we can apply it both to Digital Prisons Reporting work and put it towards replacement of of database-access repository.

Proposal

Use an existing glue table/darabase in our ap-dev account and test managing permissions in hybrid mode.

Test the following scenarios:

• IAM role has IAM access but not LF access
• IAM role has LF access but not IAM access
• IAM role has different levels of access in LF and IAM

Additional Information

https://docs.aws.amazon.com/lake-formation/latest/dg/hybrid-access-mode.html

Definition of Done

• [x] Scenarios tested
• [x] Findings captured
• [x] Findings demoed to the team
• [x] Existing stories adjusted if needed

[BrianEllwood]

The findings are in this document