Attribute-based access control considerations, limitations, and supported regions

The following considerations and limitations apply to Attribute based access control (ABAC).

ABAC doesn’t support granting access using LF-Tag policies.
Grantable permissions are not available with ABAC.
ABAC doesn’t support granting permissions to IAM Identity Center users.
When using ABAC grants on a table in Lake Formation, Lake Formation doesn't grant DESCRIBE permissions to the parent database or catalog. This differs from non-ABAC scenarios, where Lake Formation provides implicit DESCRIBE permissions to parent resources.
All principals with the AmazonDataZoneProject tag key are always treated as opted in to Lake Formation for all Data Catalog resources.
ABAC supports only string attributes.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Lake Formation tag-based access control best practices and considerations

Troubleshooting Lake Formation