This week covered four pillars of data security and governance — access control, encryption, sensitive-data protection, governance. Today we weave them into one end-to-end scenario.
- IAM: Broad permissions. Logic: explicit Deny > Allow > implicit deny. Least privilege.
- Lake Formation: Catalog-level fine-grained. Data access requires both IAM + LF perms.
- Granularity: Column GRANT / row data filter / cell (combo).
- TBAC (LF-Tags): Large-scale permissions as tag expressions.
- Cross-account: Align trust policy + permission policy + (if encrypted) KMS key policy.
💡 Related Theory: IAM = "can call API?", Lake Formation = "can see this data?" AND relationship.