Access Control in AWS Glue Data Catalog (ANT376) - AWS re:Invent 2018

•

2 likes•3,286 views

In this chalk talk, we describe how resource-level authorization and resource-based authorization work in the AWS Glue Data Catalog, and how these features are integrated with other AWS data analytics services such as Amazon Athena. In addition, we cover a few cross-account access patterns, and how cross-account access in AWS Glue Data Catalog can be used to support some of these use cases.

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access Control in AWS Glue
Data Catalog
Austin Lee
Software Engineer
AWS Glue
A N T 3 7 6

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Overview
• Fine-grained access control on Data Catalog resources (in other words,
metadata), not data
• You can use both identity-based policies as well as resource-based
policies
• You can enable cross-account access using AWS Glue resource policies
(resource-based)
• No support for tag-based authorization yet

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine-grained access control at the resource level
• Database
• Table
• Connection
• Function

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Glue Data Catalog resource ARN
• arn:aws:glue:<region>:<account-id>:<resource-type>/<resource-path>
• Allowed resource type strings
• catalog
• database
• table
• connection
• userDefinedFunction
• Examples
• arn:aws:glue:us-east-1:12345:catalog
• arn:aws:glue:us-east-1:12345:database/aws
• arn:aws:glue:us-east-1:12345:table/aws/demo
• arn:aws:glue:us-east-1:12345:userDefinedFunction/aws/udf1
• arn:aws:glue:us-east-1:12345:connection/conn1

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enforcement mechanisms (policies)
• Identity-based policies (AWS Identity and Access Management [IAM]
policies)
• Managed by IAM
• Attached to IAM principals, for example, IAM users, IAM roles
• Resource-based policies
• Managed by AWS Glue
• Attached to your catalog
• One policy per account/catalog, similar to Amazon Simple Storage Service (Amazon S3)
bucket policies
• Required to allow cross-account access
• You can use either one to grant access to users in the same account

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-account access
• Scenario – a user (“Bob”) in Account B, 12345, wants to access the
catalog in Account A, 67890; the table he is interested in is ”demo” in
database “aws”
• Bob’s IAM user ARN in Account B: arn:aws:iam::12345:user/bob
• Let’s say the catalog in Account A is in us-east-1
• The catalog ARN in Account A: arn:aws:glue:us-east-1:67890:catalog
• The database ARN in Account A: arn:aws:glue:us-east-1:67890:database/aws
• The table ARN in Account A: arn:aws:glue:us-east-1:67890:table/aws/demo

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-account access
• Bob needs both an IAM policy and a resource policy to get access to the
table
• IAM policy (attached to Bob’s IAM user “user/bob”)

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-account access
• Resource policy
• The policy editor on AWS Glue console
• PutResourcePolicy API
"Principal": {"AWS": [
"arn:aws:iam::12345:user/bob"
]}

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-account access in AWS Glue ETL

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-account access on Amazon EMR

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-account access on Amazon EMR
/etc/hive/conf.dist/hive-site.xml

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Glue Data Catalog Resource Policy Editor

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hierarchical permission model
• No direct access to a child resource without explicit allow on ALL
parents
• For the GetTable action on a table resource to succeed, you need permissions on its parent
database and the catalog
• Access to a child can be blocked via an explicit deny on any of the
parents

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Organizing permissions
• By action

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Organizing permissions
• By resource
catalog
database
database
table
table

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gotchas
• DeleteDatabase
• Database “default” in Amazon Athena
• Filtering on GetDatabases and GetTables
• Wildcards
• No fine-grained access control for partitions and table versions

Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

In this session, we show you how to understand what data you have, how to drive insights, and how to make predictions using purpose-built AWS services. Learn about the common pitfalls of building data lakes and discover how to successfully drive analytics and insights from your data. Also learn how services such as Amazon S3, AWS Glue, Amazon Redshift, Amazon Athena, Amazon EMR, Amazon Kinesis, and Amazon Machine Learning (Amazon ML) services work together to build a successful data lake for various roles, including data scientists and business users.

Amazon EMR과 SageMaker를 이용하여 데이터를 준비하고 머신러닝 모델 개발 하기

Amazon Web Services Korea

Amazon SageMaker는 머신러닝 프로젝트를 위한 통합 플랫폼입니다. SageMaker의 기능 중 Amazon SageMaker Studio는 머신러닝 통합 개발환경을 제공하여, 데이터를 준비에서부터 모델을 빌드, 교육 및 배포하는 데 필요한 모든 단계를 수행할 수 있습니다. Amazon EMR은 Apache Spark, Apache Hive 및 Presto와 같은 오픈 소스 분석 프레임워크를 사용하여 대규모 분산 데이터 처리 작업, 대화형 SQL 쿼리 및 ML 애플리케이션을 실행하기 위한 빅 데이터 플랫폼입니다. 이 세션에서는 데이터 과학자와 ML 엔지니어가 ML 워크플로우에서 분산 빅 데이터 프레임워크를 쉽게 사용할 수 있도록 상호 서비스 간의 통합에 대하여 데모를 통해 알아봅니다.

AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...

Amazon Web Services

In this session, we’ll expand on the S3 re:Invent deep-dive session with a hands-on workshop on advanced S3 features and storage management capabilities. We’ll have AWS S3 and Glacier experts on-hand to deep-dive on S3 architecture, performance & scalability optimization, how to analyze your content and leverage storage tiers (S3 Standard, S3 Standard Infrequent Access, Glacier) to balance cost and SLAs, security considerations, replication with Cross Region Replication (CRR), versioning for data protection and more. In the hands-on lab, we’ll walk through a customer scenario: architecting a high-performance infrastructure for consumer applications. In the scenario, we’ll use sample data sets on S3, analyze object retrieval patterns and design a complete solution using many of the features S3 offers including migrating objects to an appropriate tier. Prerequisites: - Participants should have an AWS account established and available for use during the workshop. - Please bring your own laptop.

Introduction to Amazon Aurora

Amazon Web Services

This document provides an introduction to Amazon Aurora, AWS's managed relational database service. It discusses how Aurora was built to provide the speed and availability of commercial databases at the simplicity and cost-effectiveness of open source databases. The document outlines key Aurora features like automatic scaling, continuous backups, replication across Availability Zones, and integration with other AWS services. Customer case studies show how Aurora provides better performance at lower costs than alternative database options. The document also covers migration options and how Aurora offers a simpler, more cost-effective database solution than on-premises or self-managed options.

Azure purview

Shafqat Turza

This document provides resources for learning about the different phases and components of Azure Purview including documentation, training courses, how to create subscriptions and accounts, set up collections and scans, understand the data map and lineage, best practices, and connect data sources. It also lists some competitors to Azure Purview and provides pricing information for development/trial usage based on capacity units and hours for the data map, scanning, and resource set processing.

Best Practices for Encrypting Data on AWS

Amazon Web Services

Introduction to Amazon Athena

Amazon Web Services

by Joyjeet Banerjee, Solutions Architect, AWS Amazon Athena is a new serverless query service that makes it easy to analyze data in Amazon S3, using standard SQL. With Athena, there is no infrastructure to setup or manage, and you can start analyzing your data immediately. You don’t even need to load your data into Athena, it works directly with data stored in S3. Level 200 In this session, we will show you how easy it is to start querying your data stored in Amazon S3, with Amazon Athena. First we will use Athena to create the schema for data already in S3. Then, we will demonstrate how you can run interactive queries through the built-in query editor. We will provide best practices and use cases for Athena. Then, we will talk about supported queries, data formats, and strategies to save costs when querying data with Athena.

Aws glue를 통한 손쉬운 데이터 전처리 작업하기

Amazon Web Services Korea

AWS Glue는 고객이 분석을 위해 손쉽게 데이터를 준비하고 로드할 수 있게 지원하는 완전관리형 ETL(추출, 변환 및 로드) 서비스입니다. AWS 관리 콘솔에서 클릭 몇 번으로 ETL 작업을 생성하고 실행할 수 있습니다. 빅데이터 분석 시 다양한 데이터 소스에 대한 전처리 작업을 할 때, 별도의 데이터 처리용 서버나 인프라를 관리할 필요가 없습니다. 본 세션에서는 지난 5월 서울 리전에 출시한 Glue 서비스에 대한 자세한 소개와 함께 다양한 활용 팁을 데모와 함께 소개해 드립니다.

OpenSearch는 배포형 오픈 소스 검색과 분석 제품군으로 실시간 애플리케이션 모니터링, 로그 분석 및 웹 사이트 검색과 같이 다양한 사용 사례에 사용됩니다. OpenSearch는 데이터 탐색을 쉽게 도와주는 통합 시각화 도구 OpenSearch와 함께 뛰어난 확장성을 지닌 시스템을 제공하여 대량 데이터 볼륨에 빠르게 액세스 및 응답합니다. 이 세션에서는 실제 동작 구조에 대한 설명을 바탕으로 최적화를 하기 위한 방법과 운영상에 발생할 수 있는 이슈에 대해서 알아봅니다.

AWS Glue - let's get stuck in!

Chris Taylor

This document provides an introduction to AWS Glue. It discusses that ETL development consumes 70% of data warehouse resources on average. AWS Glue is a fully managed ETL service that automates ETL processes on a serverless Apache Spark environment. It features a data catalog, job authoring tools for Python/Spark code generation, and job execution on serverless Spark. Use cases include understanding data, querying data lakes on S3, and building event-driven ETL pipelines. The presentation demonstrates AWS Glue and reviews pricing.

Aurora MySQL Backtrack을 이용한 빠른 복구 방법 - 진교선 :: AWS Database Modernization Day 온라인

Amazon Web Services Korea

발표영상 다시보기: https://kr-resources.awscloud.com/data-databases-and-analytics/aurora-mysql-backtrack%EC%9D%84-%EC%9D%B4%EC%9A%A9%ED%95%9C-%EB%B9%A0%EB%A5%B8-%EB%B3%B5%EA%B5%AC-%EB%B0%A9%EB%B2%95-%EC%A7%84%EA%B5%90%EC%84%A0-aws-database-modernization-day-%EC%98%A8%EB%9D%BC%EC%9D%B8-2 Aurora MySQL은 기존 MySQL의 운영에 추가한 많은 기능들을 제공해 드리고 있습니다. 이 중 복구에 관련된 기능인 Aurora MySQL PITR과 Backtrack에 대한 소개를 드리고자 합니다. 두 기능을 통해 운영 중 일어날 수 있는 rollback 상황에서, 어떠한 방식으로 복구를 할 수 있는지 실습해보실 수 있습니다.

How to build a data lake with aws glue data catalog (ABD213-R) re:Invent 2017

Amazon Web Services

As data volumes grow and customers store more data on AWS, they often have valuable data that is not easily discoverable and available for analytics. The AWS Glue Data Catalog provides a central view of your data lake, making data readily available for analytics. We introduce key features of the AWS Glue Data Catalog and its use cases. Learn how crawlers can automatically discover your data, extract relevant metadata, and add it as table definitions to the AWS Glue Data Catalog. We will also explore the integration between AWS Glue Data Catalog and Amazon Athena, Amazon EMR, and Amazon Redshift Spectrum.

Building Serverless ETL Pipelines with AWS Glue

Amazon Web Services

Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...

Amazon Web Services Korea

Amazon Athena Capabilities and Use Cases Overview

Amazon Web Services

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. With Athena, users can analyze large-scale datasets and get results in seconds without having to load the data into databases or maintain any infrastructure. Athena supports querying data in formats like CSV, JSON, and columnar formats like Apache Parquet and ORC. Users pay only for the queries that they run.

Masterclass Webinar: Amazon Elastic MapReduce (EMR)

Amazon Web Services

This webinar recording will explain how to get started with Amazon Elastic MapReduce (EMR). EMR enables fast processing of large structured or unstructured datasets, and in this webinar we'll demonstrated how to setup an EMR job flow to analyse application logs, and perform Hive queries against it. We'll review best practices around data file organisation on Amazon Simple Storage Service (S3), how clusters can be started from the AWS web console and command line, and how to monitor the status of a Map/Reduce job. The security configuration that allows direct access to the Amazon EMR cluster in interactive mode will be shown, and we'll see how Hive provides a SQL like environment, while allowing you to dynamically grow and shrink the amount of compute used for powerful data processing activities. Amazon EMR YouTube Recording: http://youtu.be/gSPh6VTBEbY

Introduction to Amazon Athena

Amazon Web Services

The document describes a presentation on Amazon Athena, a serverless interactive query service that allows users to analyze data directly from Amazon S3 using standard SQL. The presentation will introduce Athena and demonstrate how it can be used to query data in S3 without having to load it into a database first. It will also discuss how Athena uses Presto and the Glue Data Catalog under the hood and show some customer use cases for log analysis, ETL workflows, and analytics reporting using Athena with other AWS services.

Local Testing and Deployment Best Practices for Serverless Applications - AWS...

Amazon Web Services

Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...

Amazon Web Services

AWS DataSync is a new online data transfer service that automates movement of data between on-premises storage and Amazon S3 or Amazon Elastic File System (Amazon EFS). In this session, we will introduce the service, showing how you can use DataSync to move active on-premises data to the cloud for one-time migration, timely in-cloud analysis, and replication for data protection and recovery. We’ll demonstrate how to get started with DataSync, and you’ll hear how it is helping Cox Automotive to move their archive of millions of images to AWS.

What is AWS Glue

jeetendra mandal

AWS Glue is a serverless data integration service that allows users to discover, prepare, and transform data for analytics and machine learning. It provides a fully managed extract, transform, and load (ETL) service on AWS. AWS Glue crawls data sources, automatically extracts metadata and stores it in a centralized data catalog. It then executes ETL jobs developed by users to clean, enrich and move data between various data stores.

Building-a-Data-Lake-on-AWS

Amazon Web Services

The document discusses building a data lake on AWS. It describes various AWS services that can be used to ingest, store, transform, analyze and visualize data in the data lake. These services include Amazon S3 for storage, AWS Glue for ETL/data cataloging, AWS Lake Formation for governance, Amazon Athena/EMR for analytics and Amazon QuickSight for visualization. The document also covers data movement options from on-premises to the data lake and real-time streaming of data using services like Kinesis. Machine learning workloads can leverage Amazon SageMaker for training and deployment.

글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)

Amazon Web Services Korea

Data Lake는 오늘날 데이터 기반에 의사 결정을 하기 위한 가장 일반적인 데이터 분석 아키텍처로 떠오르고 있습니다. 잘 설계된 Data Lake는 기업이 데이터 자산으로부터 가장 많은 비지니스 가치를 창출하도록 보장합니다. 본 세션을 통해 AWS 기반의 Data Lake 아키텍처를 소개하고, 다양한 사례를 통해 AWS 고객들은 데이터 분석 플랫폼을 어떤 방식으로 설계해서 활용하고 있는지 살펴봅니다. 다시보기 링크: https://youtu.be/mE8V9oNXdrs

Deep Dive - Amazon Elastic MapReduce (EMR)

Amazon Web Services

The document provides an overview of Amazon Elastic MapReduce (EMR) including how to easily launch and manage clusters, leverage Amazon S3 for storage, optimize file formats and storage, and design patterns for batch processing, interactive querying, and server clusters. It also shares lessons learned from Swiftkey including using Parquet and Cascalog for ETL, getting serialization right, avoiding many small files in S3, using spot instances, and experimenting with instance types. The document concludes by mentioning Apache Spark on EMR for faster in-memory processing directly from S3.

AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...

Simplilearn

This presentation AWS S3 will help you understand what is cloud storage, types of storage, life before Amazon S3, what is S3 ( Amazon Simple Storage Service ), benefits of S3, objects and buckets, how does Amazon S3 work along with the explanation on features of AWS S3. Amazon S3 is a storage service for the Internet. It is a simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure at a relatively low cost. Amazon S3 gives a simple web service interface that can be used to store and restore any amount of data. Using this, developers can build applications that make use of Internet storage with ease. Amazon S3 is designed to be highly flexible and scalable. Now, lets deep dive into this presentation and understand what Amazon S3 actually is. Below topics are explained in this AWS S3 presentation: 1. What is Cloud storage? 2. Types of storage 3. Before Amazon S3 4. What is S3 5. Benefits of S3 6. Objects and buckets 7. How does Amazon S3 work 8. Features of S3 This AWS certification training is designed to help you gain in-depth understanding of Amazon Web Services (AWS) architectural principles and services. You will learn how cloud computing is redefining the rules of IT architecture and how to design, plan, and scale AWS Cloud implementations with best practices recommended by Amazon. The AWS Cloud platform powers hundreds of thousands of businesses in 190 countries, and AWS certified solution architects take home about $126,000 per year. This AWS certification course will help you learn the key concepts, latest trends, and best practices for working with the AWS architecture – and become industry-ready aws certified solutions architect to help you qualify for a position as a high-quality AWS professional. The course begins with an overview of the AWS platform before diving into its individual elements: IAM, VPC, EC2, EBS, ELB, CDN, S3, EIP, KMS, Route 53, RDS, Glacier, Snowball, Cloudfront, Dynamo DB, Redshift, Auto Scaling, Cloudwatch, Elastic Cache, CloudTrail, and Security. Those who complete the course will be able to: 1. Formulate solution plans and provide guidance on AWS architectural best practices 2. Design and deploy scalable, highly available, and fault tolerant systems on AWS 3. Identify the lift and shift of an existing on-premises application to AWS 4. Decipher the ingress and egress of data to and from AWS 5. Select the appropriate AWS service based on data, compute, database, or security requirements 6. Estimate AWS costs and identify cost control mechanisms This AWS course is recommended for professionals who want to pursue a career in Cloud computing or develop Cloud applications with AWS. You’ll become an asset to any organization, helping leverage best practices around advanced cloud-based solutions and migrate existing workloads to the cloud. Learn more at: https://www.simplilearn.com/

Building a Data Lake on AWS

Amazon Web Services

By using a Data Lake, you no longer need to worry about structuring or transforming data before storing it. A Data Lake on AWS enables your organization to more rapidly analyze data, helping you quickly discover new business insights. Join us for our webinar to learn about the benefits of building a Data Lake on AWS and how your organization can begin reaping their rewards. In this webinar, select APN Partners will share their specific methodology for implementing a Data Lake on AWS and best practices for getting the most from your Data Lake.

AWS Lake Formation Deep Dive

Cobus Bernard

This document provides an overview of AWS Lake Formation and related services for building a secure data lake. It discusses how Lake Formation provides a centralized management layer for data ingestion, cleaning, security and access. It also describes how Lake Formation integrates with services like AWS Glue, Amazon S3 and ML transforms to simplify and automate many data lake tasks. Finally, it provides an example workflow for using Lake Formation to deduplicate data from various sources and grant secure access for analysis.

Amazon SageMaker 모델 학습 방법 소개::최영준, 솔루션즈 아키텍트 AI/ML 엑스퍼트, AWS::AWS AIML 스페셜 웨비나

Amazon Web Services Korea

Amazon SageMaker Training과 Processing에 처음 입문 하고자 하는 분을 위해 동작 방식을 설명하고, 실행할 수 있는 가이드를 제공합니다.사용자는 Amazon SageMaker 노트북을 생성한 다음, 직접 정의한 별도의 GPU 또는 고성능 CPU로 구성된 학습 클러스터에서 학습 코드를 실행하여, 효율적으로 모델 학습과 데이터 전처리, 추론 결과 후처리 또는 모델 평가 등을 할 수 있도록 합니다. 추가적으로 Amazon SageMaker Experiments를 이용하여 학습 실험에 대한 구조화와 평가 메트릭 간의 비교를 체계적으로 관리하는 방법을 소개합니다.

data platform on kubernetes

창언 정

How to Build HR Lakes on AWS to Unlock New Business Insights (DAT367) - AWS r...

Amazon Web Services

In this session, learn how to create an HR data lake on AWS to develop a more wholistic view of people data to enable secure, self-service reporting for HR business partners and managers, and to use more advanced data science tools to unlock new insights to reduce retention, enhance hiring practices, and improve employee productivity. We provide examples of HR insights and the business value they can drive, walk through a reference architecture example for an HR data lake, and outline key steps and best practices as you design and launch your HR data lake project. AWS services addressed in this session include AWS Lambda, Amazon S3, AWS Glue, and Amazon Athena.

Workshop: Architecting a Serverless Data Lake

Amazon Web Services

In this workshop, learn how to create a serverless data lake architecture. Understand how to ingest data at scale from multiple data sources, how to transform the data, and how to catalog it to make it available for querying using a variety of tools. Also learn how to set up governance and data quality controls. Speakers: Rajanikanth Bhargava Chilakapati - Solutions Architect, AWS Karl Hart - Solutions Architect, AWS John Pignata - Startup Solutions Architect, AWS

What's hot

Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링

Amazon Web Services Korea

AWS Glue - let's get stuck in!

Chris Taylor

Aurora MySQL Backtrack을 이용한 빠른 복구 방법 - 진교선 :: AWS Database Modernization Day 온라인

Amazon Web Services Korea

How to build a data lake with aws glue data catalog (ABD213-R) re:Invent 2017

Amazon Web Services

Building Serverless ETL Pipelines with AWS Glue

Amazon Web Services

Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...

Amazon Web Services Korea

Amazon Athena Capabilities and Use Cases Overview

Amazon Web Services

Masterclass Webinar: Amazon Elastic MapReduce (EMR)

Amazon Web Services

Introduction to Amazon Athena

Amazon Web Services

Local Testing and Deployment Best Practices for Serverless Applications - AWS...

Amazon Web Services

Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...

Amazon Web Services

What is AWS Glue

jeetendra mandal

Building-a-Data-Lake-on-AWS

Amazon Web Services

글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)

Amazon Web Services Korea

Deep Dive - Amazon Elastic MapReduce (EMR)

Amazon Web Services

AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...

Simplilearn

Building a Data Lake on AWS

Amazon Web Services

AWS Lake Formation Deep Dive

Cobus Bernard

Amazon SageMaker 모델 학습 방법 소개::최영준, 솔루션즈 아키텍트 AI/ML 엑스퍼트, AWS::AWS AIML 스페셜 웨비나

Amazon Web Services Korea

data platform on kubernetes

창언 정

What's hot (20)

Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링

AWS Glue - let's get stuck in!

Aurora MySQL Backtrack을 이용한 빠른 복구 방법 - 진교선 :: AWS Database Modernization Day 온라인

How to build a data lake with aws glue data catalog (ABD213-R) re:Invent 2017

Building Serverless ETL Pipelines with AWS Glue

Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...

Amazon Athena Capabilities and Use Cases Overview

Masterclass Webinar: Amazon Elastic MapReduce (EMR)

Introduction to Amazon Athena

Local Testing and Deployment Best Practices for Serverless Applications - AWS...

Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...

What is AWS Glue

Building-a-Data-Lake-on-AWS

글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)

Deep Dive - Amazon Elastic MapReduce (EMR)

AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...

Building a Data Lake on AWS

AWS Lake Formation Deep Dive

Amazon SageMaker 모델 학습 방법 소개::최영준, 솔루션즈 아키텍트 AI/ML 엑스퍼트, AWS::AWS AIML 스페셜 웨비나

data platform on kubernetes

Similar to Access Control in AWS Glue Data Catalog (ANT376) - AWS re:Invent 2018

How to Build HR Lakes on AWS to Unlock New Business Insights (DAT367) - AWS r...

Amazon Web Services

Workshop: Architecting a Serverless Data Lake

Amazon Web Services

How to Become an IAM Policy Ninja

Amazon Web Services

As organisations’ cloud environments continue to scale and grow, how do you ensure that access to resources are being managed securely? How do you scope permissions to achieve least-privilege access control across your AWS environment? This webinar answers these questions, delving into the AWS Identity and Access Management (IAM) web service and looking at how it can help you securely control access to AWS resources.

Aws summit strikingly analytics

Chase Zhang

This document discusses Strikingly Analytics, an analytics platform built using Amazon Web Services (AWS) technologies like Apache Kylin, Elastic MapReduce, and DynamoDB. It collects and analyzes clickstream data from Strikingly's website. Key points discussed include how it uses Kylin to enable SQL queries on large datasets, runs ETL processes on AWS, and scales elastically using services like ECS, ALB, and Auto-Scaling. The system provides interactive queries with sub-4 millisecond latency while maintaining high availability and scalability.

Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...

Amazon Web Services

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run. In this session, we live demo exciting new capabilities the team have been heads down building. SendGrid, a leader in trusted email delivery, discusses how they used Athena to reinvent a popular feature of their platform.

Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...

Amazon Web Services

Overview of Redis with Search and Graph (DAT334) - AWS re:Invent 2018

Amazon Web Services

Deep dive - AWS security by design

Richard Harvey

The document discusses AWS security best practices, including implementing a strong identity foundation with IAM, enabling traceability with logging and monitoring tools, applying security at all layers with a defense-in-depth approach, automating security best practices through templates and CI/CD pipelines, protecting data through encryption, and preparing for security events with incident response planning.

Understanding the Critical Building Blocks of AWS Identity and Governance

Amazon Web Services

by Jeff Levine, Sr. Solutions Architect AWS Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.

Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018

Amazon Web Services

As customers are looking to build Data lakes to AWS, managing security, catalog and data quality becomes a challenge. Once data is put on Amazon S3, there are multiple processing engines to access it. This could be either through a SQL interface, programmatic, or using API. Customers require federated access to their data with strong controls around Authentication, Authorization, Encryption, and Audit. In this session, we explore the major AWS analytics services and platforms that customers can use to access data in the data Lake and provide best practices on securing them.

Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...

Amazon Web Services

by Fritz Kunstler, Sr. AWS Security Consultant, AWS In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop. Level 200

Serverless Architectural Patterns

Amazon Web Services

The document discusses serverless architectures and patterns. It covers using AWS Lambda along with other AWS services for building serverless web applications, data lakes, and stream processing systems. Specific examples and best practices are provided for implementing common serverless patterns and use cases like building a serverless web app frontend with API Gateway and DynamoDB, implementing a serverless data lake using S3 and Athena for analytics, and ingesting and processing streaming data with Kinesis and Lambda.

Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...

Amazon Web Services

Deep dive into AWS IAM

Amazon Web Services

Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft

Amazon Web Services

This document discusses identity and access management for serverless applications. It provides an overview of AWS Identity and Access Management (IAM) including IAM users, groups, roles, and policies. It also discusses Amazon Cognito for user management and the WildRydes serverless application workshop which involves restricting access to an S3 bucket and setting up user authentication with Cognito user pools.

Serverless Architectural Patterns: Collision 2018

Amazon Web Services

Foundations: Understanding the Critical Building Blocks of AWS Identity and G...

Amazon Web Services

by Jeff Levine, Security Specialist, Solutions Architect, AWS In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop.

AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...

Amazon Web Services

In this session, learn how to use AWS Secrets Manager to simplify secrets management and empower your developers to move quickly while raising the security bar in your organization. Also, learn how you can use these changes to more easily meet your compliance requirements. Finally, learn how the service enables you to control access to secrets using fine-grained permissions and centrally audit secret rotation for resources in the AWS Cloud, third-party services, and on-premises.

Using Search with a Database - Peter Dachnowicz

Amazon Web Services

The document discusses Amazon Elasticsearch Service, which is a fully managed service for deploying and operating Elasticsearch clusters. Key points include: - It allows deploying a production-ready Elasticsearch cluster within minutes and easily scaling the cluster. - Data is securely stored within a user's VPC and access can be restricted using IAM policies and security groups. - The service is tightly integrated with other AWS services to allow for seamless data ingestion, security, monitoring, and orchestration.

Adding Search to DynamoDB: Database Week San Francisco

Amazon Web Services

Database Week at the San Francisco Loft: Adding Search to DynamoDB Redis is an open source, in-memory data store that delivers sub-millisecond response times enabling millions of requests per second to power real-time applications. It can be used as a fast database, cache, message broker, and queue. Amazon ElastiCache delivers the ease-of-use and power of Redis along with the availability, reliability, scalability, security, and performance suitable for the most demanding applications. We’ll take a close look at Redis and how to use it to power different use cases. Speaker: Abhinav Singh - DMS/SCT Support Engineer, AWS

Similar to Access Control in AWS Glue Data Catalog (ANT376) - AWS re:Invent 2018 (20)

How to Build HR Lakes on AWS to Unlock New Business Insights (DAT367) - AWS r...

Workshop: Architecting a Serverless Data Lake

How to Become an IAM Policy Ninja

Aws summit strikingly analytics

Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...

Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...

Overview of Redis with Search and Graph (DAT334) - AWS re:Invent 2018

Deep dive - AWS security by design

Understanding the Critical Building Blocks of AWS Identity and Governance

Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018

Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...

Serverless Architectural Patterns

Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...

Deep dive into AWS IAM

Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft

Serverless Architectural Patterns: Collision 2018

Foundations: Understanding the Critical Building Blocks of AWS Identity and G...

AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...

Using Search with a Database - Peter Dachnowicz

Adding Search to DynamoDB: Database Week San Francisco

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...

Amazon Web Services

Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS. In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.

Big Data per le Startup: come creare applicazioni Big Data in modalità Server...

Amazon Web Services

La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup. Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti. Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.

Esegui pod serverless con Amazon EKS e AWS Fargate

Amazon Web Services

Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi

Costruire Applicazioni Moderne con AWS

Amazon Web Services

Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.

Come spendere fino al 90% in meno con i container e le istanze spot

Amazon Web Services

L’utilizzo dei container è in continua crescita. Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili. I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!

Open banking as a service

Amazon Web Services

In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th. Event Agenda : Open banking so far (short recap) • PSD2, OB UK, OB Australia, OB LATAM, OB Israel Intro to Open Finance marketplace • Scope • Features • Tech overview and Demo The role of the Cloud The Future of APIs • Complying with regulation • Monetizing data / APIs • Business models • Time to market One platform for all: a Strategic approach Q&A

Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...

Amazon Web Services

Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc. AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta. Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.

OpsWorks Configuration Management: automatizza la gestione e i deployment del...

Amazon Web Services

Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity. AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet. Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.

Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads

Amazon Web Services

Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.

Computer Vision con AWS

Amazon Web Services

Database Oracle e VMware Cloud on AWS i miti da sfatare

Amazon Web Services

Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti. Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi. La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.

Crea la tua prima serverless ledger-based app con QLDB e NodeJS

Amazon Web Services

Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti. Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire. Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito. In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.

API moderne real-time per applicazioni mobili e web

Amazon Web Services

Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline. Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.

Database Oracle e VMware Cloud™ on AWS: i miti da sfatare

Amazon Web Services

Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi. La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali. In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.

Tools for building your MVP on AWS

Amazon Web Services

1) The document discusses building a minimum viable product (MVP) using Amazon Web Services (AWS). 2) It provides an example of an MVP for an omni-channel messenger platform that was built from 2017 to connect ecommerce stores to customers via web chat, Facebook Messenger, WhatsApp, and other channels. 3) The founder discusses how they started with an MVP in 2017 with 200 ecommerce stores in Hong Kong and Taiwan, and have since expanded to over 5000 clients across Southeast Asia using AWS for scaling.

How to Build a Winning Pitch Deck

Amazon Web Services

This document discusses pitch decks and fundraising materials. It explains that venture capitalists will typically spend only 3 minutes and 44 seconds reviewing a pitch deck. Therefore, the deck needs to tell a compelling story to grab their attention. It also provides tips on tailoring different types of decks for different purposes, such as creating a concise 1-2 page teaser, a presentation deck for pitching in-person, and a more detailed read-only or fundraising deck. The document stresses the importance of including key information like the problem, solution, product, traction, market size, plans, team, and ask.

Building a web application without servers

Amazon Web Services

This document discusses building serverless web applications using AWS services like API Gateway, Lambda, DynamoDB, S3 and Amplify. It provides an overview of each service and how they can work together to create a scalable, secure and cost-effective serverless application stack without having to manage servers or infrastructure. Key services covered include API Gateway for hosting APIs, Lambda for backend logic, DynamoDB for database needs, S3 for static content, and Amplify for frontend hosting and continuous deployment.

Fundraising Essentials

Amazon Web Services

This document provides tips for fundraising from startup founders Roland Yau and Sze Lok Chan. It discusses generating competition to create urgency for investors, fundraising in parallel rather than sequentially, having a clear fundraising narrative focused on what you do and why it's compelling, and prioritizing relationships with people over firms. It also notes how the pandemic has changed fundraising, with examples of deals done virtually during this time. The tips emphasize being fully prepared before fundraising and cultivating connections with investors in advance.

AWS_HK_StartupDay_Building Interactive websites while automating for efficien...

Amazon Web Services

This document discusses Amazon's machine learning services for building conversational interfaces and extracting insights from unstructured text and audio. It describes Amazon Lex for creating chatbots, Amazon Comprehend for natural language processing tasks like entity extraction and sentiment analysis, and how they can be used together for applications like intelligent call centers and content analysis. Pre-trained APIs simplify adding machine learning to apps without requiring ML expertise.

Introduzione a Amazon Elastic Container Service

Amazon Web Services

Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...

Big Data per le Startup: come creare applicazioni Big Data in modalità Server...

Esegui pod serverless con Amazon EKS e AWS Fargate

Costruire Applicazioni Moderne con AWS

Come spendere fino al 90% in meno con i container e le istanze spot

Open banking as a service

Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...

OpsWorks Configuration Management: automatizza la gestione e i deployment del...

Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads

Computer Vision con AWS

Database Oracle e VMware Cloud on AWS i miti da sfatare

Crea la tua prima serverless ledger-based app con QLDB e NodeJS

API moderne real-time per applicazioni mobili e web

Database Oracle e VMware Cloud™ on AWS: i miti da sfatare

Tools for building your MVP on AWS

How to Build a Winning Pitch Deck

Building a web application without servers

Fundraising Essentials

AWS_HK_StartupDay_Building Interactive websites while automating for efficien...

Introduzione a Amazon Elastic Container Service

Access Control in AWS Glue Data Catalog (ANT376) - AWS re:Invent 2018

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Overview • Fine-grained access control on Data Catalog resources (in other words, metadata), not data • You can use both identity-based policies as well as resource-based policies • You can enable cross-account access using AWS Glue resource policies (resource-based) • No support for tag-based authorization yet

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Glue Data Catalog resource ARN • arn:aws:glue:<region>:<account-id>:<resource-type>/<resource-path> • Allowed resource type strings • catalog • database • table • connection • userDefinedFunction • Examples • arn:aws:glue:us-east-1:12345:catalog • arn:aws:glue:us-east-1:12345:database/aws • arn:aws:glue:us-east-1:12345:table/aws/demo • arn:aws:glue:us-east-1:12345:userDefinedFunction/aws/udf1 • arn:aws:glue:us-east-1:12345:connection/conn1

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcement mechanisms (policies) • Identity-based policies (AWS Identity and Access Management [IAM] policies) • Managed by IAM • Attached to IAM principals, for example, IAM users, IAM roles • Resource-based policies • Managed by AWS Glue • Attached to your catalog • One policy per account/catalog, similar to Amazon Simple Storage Service (Amazon S3) bucket policies • Required to allow cross-account access • You can use either one to grant access to users in the same account

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-account access • Scenario – a user (“Bob”) in Account B, 12345, wants to access the catalog in Account A, 67890; the table he is interested in is ”demo” in database “aws” • Bob’s IAM user ARN in Account B: arn:aws:iam::12345:user/bob • Let’s say the catalog in Account A is in us-east-1 • The catalog ARN in Account A: arn:aws:glue:us-east-1:67890:catalog • The database ARN in Account A: arn:aws:glue:us-east-1:67890:database/aws • The table ARN in Account A: arn:aws:glue:us-east-1:67890:table/aws/demo

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-account access • Bob needs both an IAM policy and a resource policy to get access to the table • IAM policy (attached to Bob’s IAM user “user/bob”)

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-account access • Resource policy • The policy editor on AWS Glue console • PutResourcePolicy API "Principal": {"AWS": [ "arn:aws:iam::12345:user/bob" ]}

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hierarchical permission model • No direct access to a child resource without explicit allow on ALL parents • For the GetTable action on a table resource to succeed, you need permissions on its parent database and the catalog • Access to a child can be blocked via an explicit deny on any of the parents

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gotchas • DeleteDatabase • Database “default” in Amazon Athena • Filtering on GetDatabases and GetTables • Wildcards • No fine-grained access control for partitions and table versions

Access Control in AWS Glue Data Catalog (ANT376) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Access Control in AWS Glue Data Catalog (ANT376) - AWS re:Invent 2018

Similar to Access Control in AWS Glue Data Catalog (ANT376) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Access Control in AWS Glue Data Catalog (ANT376) - AWS re:Invent 2018