v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
512Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_lakeformation_resource - Query AWS Lake Formation Resources Using SQL

The aws_lakeformation_resource table allows you to query AWS Lake Formation registered resources, including details about the Amazon S3 locations registered with Lake Formation, the IAM role used for registration, and whether hybrid access is enabled. This table helps data governance teams and security administrators monitor and manage data lake access control effectively.

Table Usage Guide

The aws_lakeformation_resource table provides insights into registered Lake Formation resources, enabling users to identify registered S3 locations managed by Lake Formation and determine which IAM role was used for resource registration. It also allows users to check if hybrid access is enabled, which permits both Lake Formation permissions and S3 bucket policies to manage access. Additionally, this table helps track when a resource was last modified and filter resources based on attributes such as AWS account, region, and partition, making it a valuable tool for data governance and access control.

Examples

List all registered AWS Lake Formation resources

Retrieve a list of all resources registered in AWS Lake Formation, along with their associated IAM roles and modification timestamps.

select
  resource_arn,
  role_arn,
  last_modified
from
  aws_lakeformation_resource;
select
  resource_arn,
  role_arn,
  last_modified
from
  aws_lakeformation_resource;

Find resources with hybrid access enabled

Identify resources where both Lake Formation and S3 bucket policies manage access.

select
  resource_arn,
  role_arn,
  hybrid_access_enabled
from
  aws_lakeformation_resource
where
  hybrid_access_enabled = true;
select
  resource_arn,
  role_arn,
  hybrid_access_enabled
from
  aws_lakeformation_resource
where
  hybrid_access_enabled = true;

Get resources registered with a specific IAM role

Find all resources registered by a specific IAM role in AWS Lake Formation.

select
  resource_arn,
  role_arn
from
  aws_lakeformation_resource
where
  role_arn = 'arn:aws:iam::123456789012:role/MyLakeFormationRole';
select
  resource_arn,
  role_arn
from
  aws_lakeformation_resource
where
  role_arn = 'arn:aws:iam::123456789012:role/MyLakeFormationRole';

Check for federated Lake Formation resources

List all resources that are federated, meaning they are accessible across AWS accounts.

select
  resource_arn,
  role_arn,
  with_federation
from
  aws_lakeformation_resource
where
  with_federation = true;
select
  resource_arn,
  role_arn,
  with_federation
from
  aws_lakeformation_resource
where
  with_federation = true;

Schema for aws_lakeformation_resource

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
hybrid_access_enabledbooleanIndicates whether the data access of tables pointing to the location can be managed by both Lake Formation permissions as well as Amazon S3 bucket policies.
last_modifiedtimestamp with time zoneThe date and time the resource was last modified.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
resource_arntext=The Amazon Resource Name (ARN) of the resource.
role_arntextThe IAM role that registered a resource.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
with_federationbooleanWhether or not the resource is a federated resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_lakeformation_resource