# Adding an Amazon S3 location to your data lake
To add a data location as storage in your data lake, you *register* the location (**Data lake location**) with AWS Lake Formation. You can then use Lake Formation permissions for fine-grained access control to AWS Glue Data Catalog objects that point to this location and to the underlying data in the location.
Lake Formation also allows to register a data location in hybrid access mode and provide you the flexibility to selectively enable Lake Formation permissions for databases and tables in your Data Catalog. With the Hybrid access mode, you have an incremental path that allows you to set Lake Formation permissions for a specific set of users without interrupting the permission policies of other existing users or workloads.
For more information on setting up hybrid access mode, see [Hybrid access mode](hybrid-access-mode.md)
When you register a location, that Amazon S3 path and all folders under that path are registered.
For example, suppose that you have an Amazon S3 path organization like the following:
`/mybucket/accounting/sales/`
If you register `S3://mybucket/accounting`, the `sales` folder is also registered and under Lake Formation management.
For more information about registering locations, see [Underlying data access control](access-control-underlying-data.md#underlying-data-access-control).
**Note**
Lake Formation permissions are recommended for structured data (arranged in tables with rows and columns). If your data contains object-based unstructured data, consider using Amazon S3 access grants to manage data access.
**Topics**
+ [
# Requirements for roles used to register locations
](registration-role.md)
+ [
# Registering an Amazon S3 location
](register-location.md)
+ [
# Registering an encrypted Amazon S3 location
](register-encrypted.md)
+ [
# Registering an Amazon S3 location in another AWS account
](register-cross-account.md)
+ [
# Registering an encrypted Amazon S3 location across AWS accounts
](register-cross-encrypted.md)
+ [
# Deregistering an Amazon S3 location
](unregister-location.md)
# Requirements for roles used to register locations
You must specify an AWS Identity and Access Management (IAM) role when you register an Amazon Simple Storage Service (Amazon S3) location. AWS Lake Formation assumes that role when accessing the data in that location.
You can use one of the following role types to register a location:
+ The Lake Formation service-linked role. This role grants the required permissions on the location. Using this role is the simplest way to register the location. For more information, see [Using service-linked roles for Lake Formation](service-linked-roles.md) and [Service-linked role limitations](service-linked-role-limitations.md).
+ A user-defined role. Use a user-defined role when you need to grant more permissions than the service-linked role provides.
You must use a user-defined role in the following circumstances:
+ When registering a location in another account.
For more information, see [Registering an Amazon S3 location in another AWS account](register-cross-account.md) and [Registering an encrypted Amazon S3 location across AWS accounts](register-cross-encrypted.md).
+ If you used an AWS managed CMK (`aws/s3`) to encrypt the Amazon S3 location.
For more information, see [Registering an encrypted Amazon S3 location](register-encrypted.md).
+ If you plan to access the location using Amazon EMR.
If you already registered a location with the service-linked role and want to begin accessing the location with Amazon EMR, you must deregister the location and reregister it with a user-defined role. For more information, see [Deregistering an Amazon S3 location](unregister-location.md).
# Using service-linked roles for Lake Formation
AWS Lake Formation uses an AWS Identity and Access Management (IAM) *service-linked role*. A service-linked role is a unique type of IAM role that is linked directly to Lake Formation. The service-linked role is predefined by Lake Formation and includes all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up Lake Formation easier because you don’t have to create a role and manually add the necessary permissions. Lake Formation defines the permissions of its service-linked role, and unless defined otherwise, only Lake Formation can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.
This service-linked role trusts the following services to assume the role:
+ `lakeformation.amazonaws.com`
When you use a service-linked role in account A to register an Amazon S3 location that is owned by account B, the Amazon S3 bucket policy (a resource-based policy) in account B must grant access permissions to the service-linked role in account A.
For information about using service-linked role to register a data location, see [Service-linked role limitations](service-linked-role-limitations.md).
**Note**
Service control policies (SCPs) don't affect service-linked roles.
For more information, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations user guide*.
## Service-linked role permissions for Lake Formation
Lake Formation uses the service-linked role named `AWSServiceRoleForLakeFormationDataAccess`. This role provides a set of Amazon Simple Storage Service (Amazon S3) permissions that enable the Lake Formation integrated service (such as Amazon Athena) to access registered locations. When you register a data lake location, you must provide a role that has the required Amazon S3 read/write permissions on that location. Instead of creating a role with the required Amazon S3 permissions, you can use this service-linked role.
The first time that you name the service-linked role as the role with which to register a path, the service-linked role and a new IAM policy are created on your behalf. Lake Formation adds the path to the inline policy and attaches it to the service-linked role. When you register subsequent paths with the service-linked role, Lake Formation adds the path to the existing policy.
While signed in as a data lake administrator, register a data lake location. Then, in the IAM console, search for the role `AWSServiceRoleForLakeFormationDataAccess` and view its attached policies.
For example, after you register the location `s3://my-kinesis-test/logs`, Lake Formation creates the following inline policy and attaches it to `AWSServiceRoleForLakeFormationDataAccess`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LakeFormationDataAccessPermissionsForS3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::my-kinesis-test/logs/*"
]
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::my-kinesis-test"
]
}
]
}
```
------
## Creating a service-linked role for Lake Formation
You don't need to manually create a service-linked role. When you register an Amazon S3 location with Lake Formation in the AWS Management Console, the AWS CLI, or the AWS API, Lake Formation creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you register an Amazon S3 location with Lake Formation, Lake Formation creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **Lake Formation** use case. In the AWS CLI or the AWS API, create a service-linked role with the `lakeformation.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for Lake Formation
Lake Formation does not allow you to edit the `AWSServiceRoleForLakeFormationDataAccess` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for Lake Formation
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the Lake Formation service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete Lake Formation resources used by the Lake Formation**
+ If you've used the service-linked role to register Amazon S3 locations with Lake Formation, before deleting the service-linked role, you need to deregister the location and reregister it using a custom role.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForLakeFormationDataAccess` service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
The following are the requirements for a user-defined role:
+ When creating the new role, on the **Create role** page of the IAM console, choose **AWS service**, and then under **Choose a use case**, choose **Lake Formation**.
If you create the role using a different path, ensure that the role has a trust relationship with `lakeformation.amazonaws.com`. For more information, see [Modifying a role trust policy (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html).
+ The role must have an inline policy that grants Amazon S3 read/write permissions on the location. The following is a typical policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket"
]
}
]
}
```
------
+ Add the following trust policy to the IAM role to allow the Lake Formation service to assume the role and vend temporary credentials to the integrated analytical engines.
To include IAM Identity Center user context in the CloudTrail logs, the trust policy must have the permission for the `sts:SetContext` action.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DataCatalogViewDefinerAssumeRole1",
"Effect": "Allow",
"Principal": {
"Service": [
"lakeformation.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
]
}
]
}
```
------
+ The data lake administrator who registers the location must have the `iam:PassRole` permission on the role.
The following is an inline policy that grants this permission. Replace ** with a valid AWS account number, and replace ** with the name of the role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PassRolePermissions",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/"
]
}
]
}
```
------
+ To permit Lake Formation to add logs in CloudWatch Logs and publish metrics, add the following inline policy.
**Note**
Writing to CloudWatch Logs incurs a charge.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Sid1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:/aws-lakeformation-acceleration/*",
"arn:aws:logs:us-east-1:111122223333:log-group:/aws-lakeformation-acceleration/*:log-stream:*"
]
}
]
}
```
------
# Registering an Amazon S3 location
You must specify an AWS Identity and Access Management (IAM) role when you register an Amazon Simple Storage Service (Amazon S3) location. Lake Formation assumes that role when it grants temporary credentials to integrated AWS services that access the data in that location.
**Important**
Avoid registering an Amazon S3 bucket that has **Requester pays** enabled. For buckets registered with Lake Formation, the role used to register the bucket is always viewed as the requester. If the bucket is accessed by another AWS account, the bucket owner is charged for data access if the role belongs to the same account as the bucket owner.
You can use the AWS Lake Formation console, Lake Formation API, or AWS Command Line Interface (AWS CLI) to register an Amazon S3 location.
**Before you begin**
Review the [requirements for the role used to register the location](registration-role.md).
**To register a location (console)**
**Important**
The following procedures assume that the Amazon S3 location is in the same AWS account as the Data Catalog and that the data in the location is not encrypted. Other sections in this chapter cover cross-account registration and registration of encrypted locations.
1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/). Sign in as the data lake administrator or as a user with the `lakeformation:RegisterResource` IAM permission.
1. In the navigation pane, under **Administration**, select **Data lake locations**.
1. Choose **Register location**, and then choose **Browse** to select an Amazon Simple Storage Service (Amazon S3) path.
1. (Optional, but strongly recommended) Select **Review location permissions** to view a list of all existing resources in the selected Amazon S3 location and their permissions.
Registering the selected location might result in your Lake Formation users gaining access to data already at that location. Viewing this list helps you ensure that existing data remains secure.
1. For **IAM role**, choose either the `AWSServiceRoleForLakeFormationDataAccess` service-linked role (the default) or a custom IAM role that meets the requirements in [Requirements for roles used to register locations](registration-role.md).
You can update a registered location or other details only when you register it using a custom IAM role. To edit a location registered using a service-linked role, you should deregister the location and register it again.
1. Choose **Enable Data Catalog Federation** option to allow Lake Formation to assume a role and vend temporary credentials to integrated AWS services to access tables under federated databases. If a location is registered with Lake Formation, and you want to use the same location for a table under a federated database, you need to register the same location with the **Enable Data Catalog Federation** option.
1. Choose **Hybrid access mode** to not enable Lake Formation permissions by default. When you register Amazon S3 location in hybrid access mode, you can enable Lake Formation permissions by opting in principals for databases and tables under that location.
For more information on setting up hybrid access mode, see [Hybrid access mode](hybrid-access-mode.md).
1. Select **Register location**.
**To register a location (AWS CLI)**
1.
**Register a new location with Lake Formation**
This example uses a service-linked role to register the location. You can use the `--role-arn` argument instead to supply your own role.
Replace ** with a valid Amazon S3 path, account number with a valid AWS account, and ** with an IAM role that has permissions to register a data location.
**Note**
You can't edit properties of a registered location if it is registered using a service-linked role.
```
aws lakeformation register-resource \
--resource-arn arn:aws:s3::: \
--use-service-linked-role
```
The following example uses a custom role to register the location.
```
aws lakeformation register-resource \
--resource-arn arn:aws:s3::: \
--role-arn arn:aws:iam::<123456789012>:role/
```
1.
**To update a location registered with Lake Formation**
You can edit a registered location only if it is registered using a custom IAM role. For a location registered with service-linked role, you should deregister the location and register it again. For more information, see [Deregistering an Amazon S3 location](unregister-location.md).
```
aws lakeformation update-resource \
--role-arn arn:aws:iam::<123456789012>:role/\
--resource-arn arn:aws:s3:::
```
```
aws lakeformation update-resource \
--resource-arn arn:aws:s3::: \
--use-service-linked-role
```
1.
**Register a data location in hybrid access mode with federation**
```
aws lakeformation register-resource \
--resource-arn arn:aws:s3::: \
--role-arn arn:aws:iam::<123456789012>:role/ \
--hybrid-access-enabled
```
```
aws lakeformation register-resource \
--resource-arn arn:aws:s3::: \
--role-arn arn:aws:iam::<123456789012>:role/ \
--with-federation
```
```
aws lakeformation update-resource \
--resource-arn arn:aws:s3::: \
--role-arn arn:aws:iam::<123456789012>:role/ \
--hybrid-access-enabled
```
For more information, see [RegisterResource](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_RegisterResource.html) API operation.
**Note**
Once you register an Amazon S3 location, any AWS Glue table pointing to the location (or any of its child locations) will return the value for the `IsRegisteredWithLakeFormation` parameter as `true` in the `GetTable` call. There is a known limitation that Data Catalog API operations such as `GetTables` and `SearchTables` do not update the value for the `IsRegisteredWithLakeFormation` parameter, and return the default, which is false. It is recommended to use the `GetTable` API to view the correct value for the `IsRegisteredWithLakeFormation` parameter.
# Registering an encrypted Amazon S3 location
Lake Formation integrates with [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) (AWS KMS) to enable you to more easily set up other integrated services to encrypt and decrypt data in Amazon Simple Storage Service (Amazon S3) locations.
Both customer managed AWS KMS keys and AWS managed keys are supported. Currently, client-side encryption/decryption is supported only with Athena.
You must specify an AWS Identity and Access Management (IAM) role when you register an Amazon S3 location. For encrypted Amazon S3 locations, either the role must have permission to encrypt and decrypt data with the AWS KMS key, or the KMS key policy must grant permissions on the key to the role.
**Important**
Avoid registering an Amazon S3 bucket that has **Requester pays** enabled. For buckets registered with Lake Formation, the role used to register the bucket is always viewed as the requester. If the bucket is accessed by another AWS account, the bucket owner is charged for data access if the role belongs to the same account as the bucket owner.
Lake Formation uses a service-linked role to register your data locations. However, this role has several [limitations](service-linked-role-limitations.md). Due to these constraints, we recommend creating and using a custom IAM role instead for more flexibility and control. The custom role you create to register the location must meets the requirements specified in [Requirements for roles used to register locations](registration-role.md).
**Important**
If you used an AWS managed key to encrypt the Amazon S3 location, you can't use the Lake Formation service-linked role. You must use a custom role and add IAM permissions on the key to the role. Details are provided later in this section.
The following procedures explain how to register an Amazon S3 location that is encrypted with either a customer managed key or an AWS managed key.
+ [Registering a location encrypted with a customer managed key](#proc-register-cust-cmk)
+ [Registering a location encrypted with an AWS managed key](#proc-register-aws-cmk)
**Before You Begin**
Review the [requirements for the role used to register the location](registration-role.md).
**To register an Amazon S3 location encrypted with a customer managed key**
**Note**
If the KMS key or Amazon S3 location are not in the same AWS account as the Data Catalog, follow the instructions in [Registering an encrypted Amazon S3 location across AWS accounts](register-cross-encrypted.md) instead.
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms) and log in as an AWS Identity and Access Management (IAM) administrative user or as a user who can modify the key policy of the KMS key used to encrypt the location.
1. In the navigation pane, choose **Customer managed keys**, and then choose the name of the desired KMS key.
1. On the KMS key details page, choose the **Key policy** tab, and then do one of the following to add your custom role or the Lake Formation service-linked role as a KMS key user:
+ **If the default view is showing** (with **Key administrators**, **Key deletion**, **Key users**, and **Other AWS accounts** sections) – Under the **Key users** section, add your custom role or the Lake Formation service-linked role `AWSServiceRoleForLakeFormationDataAccess`.
+ **If the key policy (JSON) is showing** – Edit the policy to add your custom role or the Lake Formation service-linked role `AWSServiceRoleForLakeFormationDataAccess` to the object "Allow use of the key," as shown in the following example.
**Note**
If that object is missing, add it with the permissions shown in the example. The example uses the service-linked role.
```
...
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess",
"arn:aws:iam::111122223333:user/keyuser"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
...
```
1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/). Sign in as the data lake administrator or as a user with the `lakeformation:RegisterResource` IAM permission.
1. In the navigation pane, under **Administration**, choose **Data lake locations**.
1. Choose **Register location**, and then choose **Browse** to select an Amazon Simple Storage Service (Amazon S3) path.
1. (Optional, but strongly recommended) Choose **Review location permissions** to view a list of all existing resources in the selected Amazon S3 location and their permissions.
Registering the selected location might result in your Lake Formation users gaining access to data already at that location. Viewing this list helps you ensure that existing data remains secure.
1. For **IAM role**, choose either the `AWSServiceRoleForLakeFormationDataAccess` service-linked role (the default) or your custom role that meets the [Requirements for roles used to register locations](registration-role.md).
1. Choose **Register location**.
For more information about the service-linked role, see [Service-linked role permissions for Lake Formation](service-linked-roles.md#service-linked-role-permissions).
**To register an Amazon S3 location encrypted with an AWS managed key**
**Important**
If the Amazon S3 location is not in the same AWS account as the Data Catalog, follow the instructions in [Registering an encrypted Amazon S3 location across AWS accounts](register-cross-encrypted.md) instead.
1. Create an IAM role to use to register the location. Ensure that it meets the requirements listed in [Requirements for roles used to register locations](registration-role.md).
1. Add the following inline policy to the role. It grants permissions on the key to the role. The `Resource` specification must designate the Amazon Resource Name (ARN) of the AWS managed key. You can obtain the ARN from the AWS KMS console. To get the correct ARN, ensure that you log in to the AWS KMS console with the same AWS account and Region as the AWS managed key that was used to encrypt the location.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
```
------
You can use KMS key aliases instead of the key ID - `arn:aws:kms:region:account-id:key/alias/your-key-alias`
For more information, see [Aliases in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) section in the AWS Key Management Service Developer Guide.
1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/). Sign in as the data lake administrator or as a user with the `lakeformation:RegisterResource` IAM permission.
1. In the navigation pane, under **Administration**, choose **Data lake locations**.
1. Choose **Register location**, and then choose **Browse** to select an Amazon S3 path.
1. (Optional, but strongly recommended) Choose **Review location permissions** to view a list of all existing resources in the selected Amazon S3 location and their permissions.
Registering the selected location might result in your Lake Formation users gaining access to data already at that location. Viewing this list helps you ensure that existing data remains secure.
1. For **IAM role**, choose the role that you created in Step 1.
1. Choose **Register location**.
# Registering an Amazon S3 location in another AWS account
AWS Lake Formation enables you to register Amazon Simple Storage Service (Amazon S3) locations across AWS accounts. For example, if the AWS Glue Data Catalog is in account A, a user in account A can register an Amazon S3 bucket in account B.
Registering an Amazon S3 bucket in AWS account B using an AWS Identity and Access Management (IAM) role in AWS account A requires the following permissions:
+ The role in account A must grant permissions on the bucket in account B.
+ The bucket policy in account B must grant access permissions to the role in Account A.
**Important**
Avoid registering an Amazon S3 bucket that has **Requester pays** enabled. For buckets registered with Lake Formation, the role used to register the bucket is always viewed as the requester. If the bucket is accessed by another AWS account, the bucket owner is charged for data access if the role belongs to the same account as the bucket owner.
You can't use the Lake Formation service-linked role to register a location in another account. You must use a user-defined role instead. The role must meet the requirements in [Requirements for roles used to register locations](registration-role.md). For more information about the service-linked role, see [Service-linked role permissions for Lake Formation](service-linked-roles.md#service-linked-role-permissions).
**Before you begin**
Review the [requirements for the role used to register the location](registration-role.md).
**To register a location in another AWS account**
**Note**
If the location is encrypted, follow the instructions in [Registering an encrypted Amazon S3 location across AWS accounts](register-cross-encrypted.md) instead.
The following procedure assumes that a principal in account 1111-2222-3333, which contains the Data Catalog, wants to register the Amazon S3 bucket `awsexamplebucket1`, which is in account 1234-5678-9012.
1. In account 1111-2222-3333, sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Create a new role or view an existing role that meets the requirements in [Requirements for roles used to register locations](registration-role.md). Ensure that the role grants Amazon S3 permissions on `awsexamplebucket1`.
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). Sign in with account 1234-5678-9012.
1. In the **Bucket name** list, choose the bucket name, `awsexamplebucket1`.
1. Choose **Permissions**.
1. On the **Permissions** page, choose **Bucket Policy**.
1. In the **Bucket policy editor**, paste the following policy. Replace ** with the name of your role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Principal": {
"AWS":"arn:aws:iam::111122223333:role/"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::awsexamplebucket1"
},
{
"Effect":"Allow",
"Principal": {
"AWS":"arn:aws:iam::111122223333:role/"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource":"arn:aws:s3:::awsexamplebucket1/*"
}
]
}
```
------
1. Choose **Save**.
1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/). Sign in to account 1111-2222-3333 as the data lake administrator or as a user with sufficient permissions to register locations.
1. In the navigation pane, under **Administration**, choose **Data lake locations**.
1. On **Data lake locations** page, choose **Register location**.
1. On the **Register location page**, for **Amazon S3 path**, enter the bucket name `s3://awsexamplebucket1`.
**Note**
You must type the bucket name because cross-account buckets do not appear in the list when you choose **Browse**.
1. For **IAM role**, choose your role.
1. Choose **Register location**.
# Registering an encrypted Amazon S3 location across AWS accounts
AWS Lake Formation integrates with [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) (AWS KMS) to enable you to more easily set up other integrated services to encrypt and decrypt data in Amazon Simple Storage Service (Amazon S3) locations.
Both customer managed keys and AWS managed keys are supported. Client-side encryption/decryption is not supported.
**Important**
Avoid registering an Amazon S3 bucket that has **Requester pays** enabled. For buckets registered with Lake Formation, the role used to register the bucket is always viewed as the requester. If the bucket is accessed by another AWS account, the bucket owner is charged for data access if the role belongs to the same account as the bucket owner.
This section explains how to register an Amazon S3 location under the following circumstances:
+ The data in the Amazon S3 location is encrypted with a KMS key created in AWS KMS.
+ The Amazon S3 location is not in the same AWS account as the AWS Glue Data Catalog.
+ The KMS key either is or is not in the same AWS account as the Data Catalog.
Registering an AWS KMS–encrypted Amazon S3 bucket in AWS account B using an AWS Identity and Access Management (IAM) role in AWS account A requires the following permissions:
+ The role in account A must grant permissions on the bucket in account B.
+ The bucket policy in account B must grant access permissions to the role in Account A.
+ If the KMS key is in account B, the key policy must grant access to the role in account A, and the role in account A must grant permissions on the KMS key.
In the following procedure, you create a role in the AWS account that contains the Data Catalog (account A in the previous discussion). Then, you use this role to register the location. Lake Formation assumes this role when accessing underlying data in Amazon S3. The assumed role has the required permissions on the KMS key. As a result, you don't have to grant permissions on the KMS key to principals accessing underlying data with ETL jobs or with integrated services such as Amazon Athena.
**Important**
You can't use the Lake Formation service-linked role to register a location in another account. You must use a user-defined role instead. The role must meet the requirements in [Requirements for roles used to register locations](registration-role.md). For more information about the service-linked role, see [Service-linked role permissions for Lake Formation](service-linked-roles.md#service-linked-role-permissions).
**Before You Begin**
Review the [requirements for the role used to register the location](registration-role.md).
**To register an encrypted Amazon S3 location across AWS accounts**
1. In the same AWS account as the Data Catalog, sign into the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Create a new role or view an existing role that meets the requirements in [Requirements for roles used to register locations](registration-role.md). Ensure that the role includes a policy that grants Amazon S3 permissions on the location.
1. If the KMS key is not in the same account as the Data Catalog, add to the role an inline policy that grants the required permissions on the KMS key. The following is an example policy. Replace Region and account ID with the region and account number of the KMS key. Replace ** with the key ID.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/"
}
]
}
```
------
1. On the Amazon S3 console, add a bucket policy granting the required Amazon S3 permissions to the role. The following is an example bucket policy. Replace the account ID with the AWS account number of the Data Catalog, ** with the name of your role, and ** with the name of the bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Principal": {
"AWS":"arn:aws:iam::111122223333:role/"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::"
},
{
"Effect":"Allow",
"Principal": {
"AWS":"arn:aws:iam::111122223333:role/"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource":"arn:aws:s3:::/*"
}
]
}
```
------
1. In AWS KMS, add the role as a user of the KMS key.
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). Then, sign in as an administrator user or as a user who can modify the key policy of the KMS key used to encrypt the location.
1. In the navigation pane, choose **Customer managed keys**, and then choose the name of the KMS key.
1. On the KMS key details page, under the **Key policy** tab, if the JSON view of the key policy is not showing, choose **Switch to policy view**.
1. In the **Key policy** section, choose **Edit**, and add the Amazon Resource Name (ARN) of the role to the `Allow use of the key` object, as shown in the following example.
**Note**
If that object is missing, add it with the permissions shown in the example.
```
...
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::role/"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
...
```
For more information, see [Allowing Users in Other Accounts to Use a KMS key](https://docs.amazonaws.cn/en_us/kms/latest/developerguide/key-policy-modifying-external-accounts.html) in the *AWS Key Management Service Developer Guide*.
1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/). Sign into the Data Catalog AWS account as the data lake administrator.
1. In the navigation pane, under **Administration**, choose **Data lake locations**.
1. Choose **Register location**.
1. On the **Register location page**, for **Amazon S3 path**, enter the location path as **s3://**/****. Replace ** with the name of the bucket and ** with the rest of the path for the location.
**Note**
You must type the path because cross-account buckets do not appear in the list when you choose **Browse**.
1. For **IAM role**, choose the role from Step 2.
1. Choose **Register location**.
# Deregistering an Amazon S3 location
You can deregister an Amazon Simple Storage Service (Amazon S3) location if you no longer want it to be managed by Lake Formation. Deregistering a location does not affect Lake Formation data location permissions that are granted on that location. You can reregister a location that you deregistered, and the data location permissions remain in effect. You can use a different role to reregister the location.
**To deregister a location (console)**
1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/). Sign in as the data lake administrator or as a user with the `lakeformation:RegisterResource` IAM permission.
1. In the navigation pane, under **Administration**, choose **Data lake locations**.
1. Select a location, and on the **Actions** menu, choose **Remove**.
1. When prompted for confirmation, choose **Remove**.