The requirement is to provide granular, scalable access to thousands of tables and columns in a data lake across many users and departments, with the least operational overhead.
AWS Lake Formation supports tag-based access control (TBAC) using LF-tags (Lake Formation tags), which allows you to assign tags to tables, columns, and databases. You can then define permissions on resources by specifying tags rather than managing permissions for individual resources. This approach is highly scalable and efficient when dealing with a growing number of tables and columns. By associating IAM roles to departments and granting access based on LF-tags, you dramatically reduce the operational burden as new tables or columns are added; you only need to assign the appropriate tags.
Amazon Athena can directly query data in S3 with Lake Formation providing fine-grained access control.
AWS Documentation Extract:
"With LF-tag-based access control, you can grant permissions to resources based on tags, making it easy to manage access at scale, especially in environments with large and dynamic numbers of resources."
"LF-tags provide a scalable way to manage permissions for large numbers of resources without having to define permissions individually for each table or column."
(Source: AWS Lake Formation documentation, Access Control, Tag-Based Access Control)
Other options:
A: Would require managing explicit permissions for each table and column as the environment grows, increasing operational overhead.
B & D: Involve significant duplication of resources (clusters) and do not scale as efficiently as a centralized data lake with tag-based access.
[Reference: AWS Certified Solutions Architect – Official Study Guide, Chapter on Data Lakes and Access Control., ]
