

# Hybrid access mode
<a name="hybrid-access-mode"></a>

AWS Lake Formation *hybrid access mode* supports two permission pathways to the same AWS Glue Data Catalog objects.  In the first pathway, Lake Formation allows you to select specific principals, and grant them Lake Formation permissions to access catalogs, databases, tables, and views by opting in. The second pathway allows all other principals to access these resources through the default IAM principal policies for Amazon S3 and AWS Glue actions. 

When registering an Amazon S3 location with Lake Formation, you have the option to either enforce Lake Formation permissions for all resources at this location or use hybrid access mode. The hybrid access mode enforces only `CREATE_TABLE`, `CREATE_PARTITION`, `UPDATE_TABLE` permissions by default. When an Amazon S3 location is in the hybrid mode, you can enable Lake Formation permissions by opting in principals for the Data Catalog objects under that location. It means both Lake Formation permissions and IAM permissions can control access to that data. This means that opted in principals will require both Lake Formation permissions and IAM permissions to access the data, while non-opted-in principals will continue to access data using only IAM permissions.

Thus, hybrid access mode provides the flexibility to selectively enable Lake Formation for catalogs, databases, and tables in your Data Catalog for a specific set of users without interrupting the access for other existing users or workloads.

![\[AWS account architecture showing data flow between S3, Glue, Lake Formation, Athena, and IAM roles.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/hybrid-access-mode-concept.png)


For considerations and limitations, see [Hybrid access mode considerations and limitations](notes-hybrid.md).Terms and definitions

 Here are the definitions of Data Catalog resources based on how you set up access permissions: 

Lake Formation resource  
 A resource that is registered with Lake Formation. Users require Lake Formation permissions to access the resource. 

AWS Glue resource  
A resources that is not registered with Lake Formation. Users require only IAM permissions to access the resource because it has `IAMAllowedPrincipals` group permissions. Lake Formation permissions are not enforced.  
For more information on `IAMAllowedPrincipals` group permissions, see [Metadata permissions](metadata-permissions.md).

Hybrid resource  
A resources that is registered in hybrid access mode. Based on the users accessing the resource, the resource dynamically switch between being a Lake Formation resource or an AWS Glue resource. 

## Common hybrid access mode use cases
<a name="hybrid-access-mode-use-cases"></a>

You can use hybrid access mode to provide access in single account and cross-account data sharing scenarios:

**Single account scenarios**
+ **Convert an AWS Glue resource to a hybrid resource** – In this scenario, you are not currently using Lake Formation but want to adopt Lake Formation permissions for Data Catalog objects. When you register the Amazon S3 location in hybrid access mode, you can grant Lake Formation permissions to users who opt in specific databases and tables pointing to that location. 
+ **Convert a Lake Formation resource to a hybrid resource** – Currently, you are using Lake Formation permissions to control access for a Data Catalog database but want to provide access to new principals using IAM permissions for Amazon S3 and AWS Glue without interrupting the existing Lake Formation permissions.

  When you update a data location registration to hybrid access mode, new principals can access the Data Catalog database pointing the Amazon S3 location using IAM permissions policies without interrupting existing users' Lake Formation permissions.

  Before updating the data location registration to enable hybrid access mode, you need to first opt in principals that are currently accessing the resource with Lake Formation permissions.  This is to prevent potential interruption to the current workflow.  You need to also grant `Super` permission on the tables in the database to the `IAMAllowedPrincipal` group. 

**Cross-account data sharing scenarios**
+ **Share AWS Glue resources using hybrid access mode** – In this scenario, the producer account has tables in a database that are currently shared with a consumer account using IAM permissions policies for Amazon S3 and AWS Glue actions. The data location of the database is not registered with Lake Formation.

   Before registering the data location in hybrid access mode, you need to update the **Cross account version settings** to version 4. Version 4 provides the new AWS RAM permission policies required for cross-account sharing when `IAMAllowedPrincipal` group has `Super` permission on the resource. For those resources with `IAMAllowedPrincipal` group permissions, you can grant Lake Formation permissions to external accounts and opt them in to use Lake Formation permissions. The data lake administrator in the recipient account can grant Lake Formation permissions to principals in the account and opt them in to enforce the Lake Formation permissions. 
+ **Share Lake Formation resources using hybrid access mode** – Currently, the producer account has tables in a database that are shared with a consumer account enforcing Lake Formation permissions. The data location of the database is registered with Lake Formation.

  In this case, you can update the Amazon S3 location registration to hybrid access mode, and share the data from Amazon S3 and metadata from Data Catalog using Amazon S3 bucket policies and Data Catalog resource policies to principals in the consumer account. You need to re-grant the existing Lake Formation permissions and opt in the principals before updating the Amazon S3 location registration. Also, you need to grant `Super` permission on the tables in the database to the `IAMAllowedPrincipals` group.

**Topics**
+ [Common hybrid access mode use cases](#hybrid-access-mode-use-cases)
+ [How hybrid access mode works](hybrid-access-workflow.md)
+ [Setting up hybrid access mode - common scenarios](hybrid-access-setup.md)
+ [Removing principals and resources from hybrid access mode](delete-hybrid-access.md)
+ [Viewing principals and resources in hybrid access mode](view-hybrid-access.md)
+ [Additional resources](additional-resources-hybrid.md)

# How hybrid access mode works
<a name="hybrid-access-workflow"></a>

The following diagram shows how Lake Formation authorization works in hybrid access mode when you query the Data Catalog resources.

![\[AWS Lake Formation authorization process flowchart for hybrid access mode queries.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/hybrid-workflow.png)


Before accessing data in your data lake, a data lake administrator or a user with administrative permissions sets up individual Data Catalog table user policies to allow or deny access to tables in your Data Catalog. Then, a principal who has the permissions to perform `RegisterResource` operation registers the Amazon S3 location of the table with Lake Formation in hybrid access mode. If a data location is not registered with Lake Formation, the administrator grants Lake Formation permissions to specific users on the Data Catalog databases and tables and opts them in to use Lake Formation permissions for those databases and tables in hybrid access mode.

1. **Submits a query** - A principal submits a query or an ETL script using an integrated service such as Amazon Athena, AWS Glue, Amazon EMR, or Amazon Redshift Spectrum.

1. **Requests data** - The integrated analytical engine identifies the table that is being requested and sends the metadata request to the Data Catalog (`GetTable`, `GetDatabase`).

1. **Checks permissions** - The Data Catalog verifies the querying principal’s access permissions with Lake Formation.

   1. If the table doesn't have `IAMAllowedPrincipals` group permissions attached, Lake Formation permissions are enforced.

   1. If the principal has opted in to use Lake Formation permissions in the hybrid access mode, and the table has `IAMAllowedPrincipals` group permissions attached, Lake Formation permissions are enforced. The query engine applies the filters it received from Lake Formation and returns the data to the user.

   1. If the table location is not registered with Lake Formation and the principal has not opted in to use Lake Formation permissions in hybrid access mode, the Data Catalog checks if the table has `IAMAllowedPrincipals` group permissions attached to it. If this permission exists on the table, all principals in the account gets `Super` or `All` permissions on the table. 

      Lake Formation credential vending is not available, even when opted in, unless the data location is registered with Lake Formation.

1. **Get credentials** – The Data Catalog checks and lets the engine know if the table location is registered with Lake Formation or not. If the underlying data is registered with Lake Formation, the analytical engine requests Lake Formation for temporary credentials to access data in the Amazon S3 bucket. 

1. **Get data** – If the principal is authorized to access the table data, Lake Formation provides temporary access to the integrated analytical engine. Using the temporary access, the analytical engine fetches the data from Amazon S3, and performs necessary filtering such as column, row, or cell filtering. When the engine finishes running the job, it returns the results back to the user. This process is called credential vending. For more information,  see [Integrating third-party services with Lake Formation](Integrating-with-LakeFormation.md).

1.  If the data location of the table is not registered with Lake Formation, the second call from the analytic engine is made directly to Amazon S3. The concerned Amazon S3 bucket policy and IAM user policy are evaluated for data access. Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see [Security best practices in IAM in the IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).

# Setting up hybrid access mode - common scenarios
<a name="hybrid-access-setup"></a>

As with Lake Formation permissions, you generally have two types of scenarios in which you can use hybrid access mode to manage data access: Provide access to principals within one AWS account and provide access to an external AWS account or principal.

 This section provides instructions for setting up hybrid access mode in the following scenarios: 

**Manage permissions in hybrid access mode within one AWS account**
+ [Converting an AWS Glue resource to a hybrid resource](hybrid-access-mode-new.md) – You are currently providing access to tables in a database for all principals in your account using IAM permissions for Amazon S3 and AWS Glue but want to adopt Lake Formation to manage permissions incrementally. 
+ [Converting a Lake Formation resource to a hybrid resource](hybrid-access-mode-update.md) – You are currently using Lake Formation to manage access for tables in a database for all principals in your account but want to use Lake Formation only for specific principals. You want to provide access to new principals by using IAM permissions for AWS Glue and Amazon S3 on the same database and tables.

**Manage permissions in hybrid access mode across AWS accounts**
+ [Sharing an AWS Glue resource using hybrid access mode](hybrid-access-mode-cross-account.md) – You're currently not using Lake Formation to manage permissions for a table but want to apply Lake Formation permissions to provide access for principals in another account.
+ [Sharing a Lake Formation resource using hybrid access mode](hybrid-access-mode-cross-account-IAM.md) – You're using Lake Formation to manage access for a table but want to provide access for principals in another account by using IAM permissions for AWS Glue and Amazon S3 on the same database and tables. 

**Setting up hybrid access mode – High-level steps**

1. Register the Amazon S3 data location with Lake Formation by selecting **Hybrid access mode**. 

1. Principals must have `DATA_LOCATION` permission on a data lake location to create Data Catalog tables or databases that point to that location. 

1.  Set the **Cross-account version setting** to Version 4. 

1. Grant fine-grained permissions to specific IAM users or roles on databases and tables. At the same time, make sure to set `Super` or `All` permissions to the `IAMAllowedPrincipals` group on the database and all or selected tables in the database.

1. Opt in the principals and resources. Other principals in the account can continue accessing the databases and tables using IAM permission policies for AWS Glue and Amazon S3 actions.

1. Optionally clean up IAM permission policies for Amazon S3 for the principals that are opted in to use Lake Formation permissions.

# Prerequisites for setting up hybrid access mode
<a name="hybrid-access-prerequisites"></a>

The following are the prerequisites for setting up hybrid access mode: 

**Note**  
 We recommend that a Lake Formation administrator registers the Amazon S3 location in hybrid access mode, and opt in principals and resources. 

1. Grant data location permission (`DATA_LOCATION_ACCESS`) to create Data Catalog resources that point to the Amazon S3 locations. Data location permissions control the ability to create Data Catalog catalogs, databases and tables that point to particular Amazon S3 locations. 

1. To share Data Catalog resources with another account in hybrid access mode (without removing `IAMAllowedPrincipals` group permissions from the resource), you need to update the **Cross account version settings** to Version 4 or higher. To update the version using Lake Formation console, choose **Version 4** or **Version 5** under **Cross account version settings** on the **Data Catalog settings** page. 

   You can also use the `put-data-lake-settings` AWS CLI command to set the `CROSS_ACCOUNT_VERSION` parameter to version 4 or 5:

   ```
   aws lakeformation put-data-lake-settings --region us-east-1 --data-lake-settings file://settings
   {
   "DataLakeAdmins": [
           {
   "DataLakePrincipalIdentifier": "arn:aws:iam::<111122223333>:user/<user-name>"
           }
       ],
       "CreateDatabaseDefaultPermissions": [],
       "CreateTableDefaultPermissions": [],
       "Parameters": {
   "CROSS_ACCOUNT_VERSION": "5"
       }
   }
   ```

1.  To grant cross-account permissions in hybrid access mode, the grantor must have the required IAM permissions for AWS Glue and AWS RAM services. The AWS managed policy `AWSLakeFormationCrossAccountManager` grants the required permissions.  To enable cross-account data sharing in hybrid access mode, we’ve updated the `AWSLakeFormationCrossAccountManager` managed policy by adding two new IAM permissions:
   + ram:ListResourceSharePermissions
   + ram:AssociateResourceSharePermission
**Note**  
If you are not using the AWS managed policy for the grantor role, add the above policies to your custom policies.

## Amazon S3 bucket location and user access
<a name="w2aac11c34c21c15b9"></a>

When you create a catalog, database or a table in the AWS Glue Data Catalog, you can specify the Amazon S3 bucket location of the underlying data and register it with Lake Formation. The tables below describe how permissions work for AWS Glue and Lake Formation users (principals) based on the Amazon S3 data location of the table or database. 


**Amazon S3 location registered with Lake Formation**  

| Amazon S3 location of a database | AWS Glue users | Lake Formation users | 
| --- | --- | --- | 
|  Registered with Lake Formation (in hybrid access mode or in Lake Formation mode)  |  Have read/write access to the Amazon S3 data location by inheriting permissions from the IAMAllowedPrincipals group (super access) permissions.  | Inherit permissions to create tables from their granted CREATE TABLE permission. | 
| No associated Amazon S3 location |  Require explicit DATA LOCATION permission for running CREATE TABLE and INSERT TABLE statements.  |  Require explicit DATA LOCATION permission for running CREATE TABLE and INSERT TABLE statements.  | 

****IsRegisteredWithLakeFormation** table property**  
The `IsRegisteredWithLakeFormation` property of a table indicates whether the data location of the table is registered with Lake Formation for the requester. If the permission mode of the location is registered as Lake Formation, then the `IsRegisteredWithLakeFormation` property is `true` for all users accessing the data location because all users are considered as opted in for that table. If the location is registered in hybrid access mode, then the value is set to `true` only for users who have opted in for that table. 


**How `IsRegisteredWithLakeFormation` works**  

| Permission mode | Users/Roles |  `IsRegisteredWithLakeFormation`  | Description | 
| --- | --- | --- | --- | 
|  Lake Formation  | All | True |  When a location is registered with Lake Formation, the `IsRegisteredWithLakeFormation` property will be set to true for all users. This means that the permissions defined in Lake Formation apply to the registered location. Credential vending will be done by Lake Formation.  | 
| Hybrid access mode | Opted in | True |  For users who have opted in to using Lake Formation for data access and governance for a table, the `IsRegisteredWithLakeFormation` property will be set to `true` for that table. They are subject to the permission policies defined in Lake Formation for the registered location.  | 
| Hybrid access mode | Not opted in | False |  For users who have not opted in to using Lake Formation permissions, the `IsRegisteredWithLakeFormation` property is set to `false`. They are not subject to the permission policies defined in Lake Formation for the registered location. Instead, users will follow the Amazon S3 permissions policies.  | 

# Converting an AWS Glue resource to a hybrid resource
<a name="hybrid-access-mode-new"></a>

Follow these steps to register an Amazon S3 location in hybrid access mode and on-board new Lake Formation users without interrupting the existing Data Catalog users' data access. 

Scenario description - The data location is not registered with Lake Formation, and users' access to the Data Catalog database and tables is determined by IAM permissions policies for Amazon S3 and AWS Glue actions.  The `IAMAllowedPrincipals` group by default has `Super` permissions on all tables in the database. 

**To enable hybrid access mode for a data location that is not registered with Lake Formation**

1. 

**Register an Amazon S3 location enabling hybrid access mode.**

------
#### [ Console ]

   1. Sign in to the [Lake Formation console](https://console.aws.amazon.com/lakeformation/) as a data lake administrator. 

   1. In the navigation pane, choose **Data lake locations** under **Administration**.

   1. Choose **Register location**.  
![\[Register location form for Amazon S3 data lake with path input, IAM role selection, and permission mode options.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/hybrid-access-register-s3.png)

   1. On the **Register location** window, choose the **Amazon S3** path that you want to register with Lake Formation. 

   1. For **IAM role**, choose either the `AWSServiceRoleForLakeFormationDataAccess` service-linked role (the default) or a custom IAM  role that meets the requirements in [Requirements for roles used to register locations](registration-role.md). 

   1. Choose **Hybrid access mode** to apply fine-grained Lake Formation access control policies to opt-in principals and Data Catalog databases and tables pointing to the registered location. 

      Choose Lake Formation to allow Lake Formation to authorize access requests to the registered location. 

   1. Choose **Register location**.

------
#### [ AWS CLI ]

   Following is an example for registering a data location with Lake Formation with HybridAccessEnabled:true/false. Default value for the `HybridAccessEnabled` parameter is false. Replace Amazon S3 path, role name, and AWS account id with valid values.

   ```
   aws lakeformation register-resource --cli-input-json file:file path
   json:
       {
           "ResourceArn": "arn:aws:s3:::s3-path",
           "UseServiceLinkedRole": false,
           "RoleArn": "arn:aws:iam::<123456789012>:role/<role-name>",
           "HybridAccessEnabled": true
       }
   ```

------

1. 

**Grant permissions and opt in principals to use Lake Formation permissions for resources in hybrid access mode**

   Before you opt in principals and resources in hybrid access mode, verify that `Super` or `All` permissions to `IAMAllowedPrincipals` group exists on the databases and tables that have location registered with Lake Formation in hybrid access mode.
**Note**  
You can't grant the `IAMAllowedPrincipals` group permission on `All tables` within a database. You need to select each table separately from the drop-down menu, and grant permissions. Also, when you create new tables in the database, you can choose to use the `Use only IAM access control for new tables in new databases` in the **Data Catalog Settings**. This option grants `Super` permission to the `IAMAllowedPrincipals` group automatically when you create new tables within the database. 

------
#### [ Console ]

   1. On the Lake Formation console, under **Data Catalog**, choose **Catalogs**, **Databases**, or **Tables**.

   1. Select a catalog, a database, or a table from the list, and choose **Grant** from the **Actions** menu.

   1. Choose principals to grant permissions on the database, tables, and columns using named resource method or LF-Tags.

      Alternatively, choose **Data permissions**, select the principals to grant permissions from the list, and choose **Grant**.

      For more details on granting data permissions, see [Granting permissions on Data Catalog resources](granting-catalog-permissions.md).
**Note**  
If you’re granting a principal Create table permission, you also need to grant data location permissions (`DATA_LOCATION_ACCESS`) to the principal. This permission is not needed to update tables.  
For more information, see [Granting data location permissions](granting-location-permissions.md).

   1. When you use **Named resource method** to grant permissions, the option to opt in principals and resources is available on the lower section of the **Grant data permission** page. 

      Choose **Make Lake Formation permissions effective immediately** to enable Lake Formation permissions for the principals and resources.  
![\[The option to choose hybrid access mode for the Data Catalog resource.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/hybrid-access-grant-option.png)

   1. Choose **Grant**.

       When you opt in principal A on table A that is pointing to a data location, it allows principal A to have access to this table’s location using Lake Formation permissions if the data location is registered in hybrid mode. 

------
#### [ AWS CLI ]

   Following is an example for opting in a principal and a table in hybrid access mode. Replace the role name, AWS account id, database name, and table name with valid values.

   ```
   aws lakeformation create-lake-formation-opt-in --cli-input-json file://file path
   json:
     {
           "Principal": {
               "DataLakePrincipalIdentifier": "arn:aws:iam::<123456789012>:role/<hybrid-access-role>"
           },
           "Resource": {
               "Table": {
                   "CatalogId": "<123456789012>",
                   "DatabaseName": "<hybrid_test>",
                   "Name": "<hybrid_test_table>"
               }
           }
       }
   ```

------

   1. If you choose LF-Tags to grant permissions, you can opt in principals to use Lake Formation permissions in a separate step. You can do this by choosing **Hybrid access mode** under **Permissions** from the left navigation bar.

   1.  On the lower section of the **Hybrid access mode** page, choose **Add** to add resources and principals to hybrid access mode. 

   1.  On the **Add resources and principals** page, choose the catalogs, databases and tables registered in hybrid access mode. 

      You can choose `All tables` under a database to grant access.  
![\[The interface to add catalogs, databases, and tables in hybrid access mode.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/hybrid-access-opt-in.png)

   1. Choose principals opt in to use Lake Formation permissions in hybrid access mode.
      +  **Principals** – You can choose IAM users and roles in the same account or in another account. You can also choose SAML users and groups.
      + **Attributes** – Select attributes to grant permissions based on attributes.  
![\[The interface to add principals and resources with an attribute expression.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/abac-hybrid-access.png)
      + Enter the key-value pair to create a grant based on attributes. Review the Cedar policy expression on the console. For more information about Cedar, see [What is Cedar? \$1 Cedar Policy Language Reference GuideLink](https://docs.cedarpolicy.com/).
      + Choose **Add**.

        All IAM roles/users with matching attributes are granted access.

   1. Choose **Add**.

# Converting a Lake Formation resource to a hybrid resource
<a name="hybrid-access-mode-update"></a>

In cases where you're currently using Lake Formation permissions for your Data Catalog databases and tables, you can edit the location registration properties to enable hybrid access mode. This allows you to provide new principals access to the same resources using IAM permission policies for Amazon S3 and AWS Glue actions without interrupting existing Lake Formation permissions.

 Scenario description - The following steps assume that you’ve a data location registered with Lake Formation, and you've set up permissions for principals on databases, tables, or columns pointing to that location. If the location was registered with a service linked role, you can’t update the location parameters and enable hybrid access mode. The `IAMAllowedPrincipals` group by default has Super permissions on the database and all its tables. 

**Important**  
Don’t update a location registration to hybrid access mode without opting in the principals that are accessing data in this location.

**Enabling hybrid access mode for a data location registered with Lake Formation**

1. 
**Warning**  
We don't recommend converting a Lake Formation managed data location to hybrid access mode to avoid interrupting the permission policies of other existing users or workloads.

   Opt in the existing principals who have Lake Formation permissions.

   1. List and review the permissions you’ve granted to principals on catalogs, databases and tables. For more information, see [Viewing database and table permissions in Lake Formation](viewing-permissions.md). 

   1. Choose **Hybrid access mode** under **Permissions** from the left navigation bar, and choose **Add**. 

   1. On the **Add principals and resources** page, choose the catalogs, databases, and tables from the Amazon S3 data location that you want to use in hybrid access mode. Choose the principals that already have Lake Formation permissions. 

   1.  Choose **Add** to opt in the principals to use Lake Formation permissions in hybrid access mode.

1.  Update the Amazon S3 bucket/prefix registration by choosing **Hybrid access mode** option. 

------
#### [ Console ]

   1. Sign in to the Lake Formation console as the data lake administrator.

   1.  In the navigation pane, under **Register and Ingest**, choose **Data lake locations**.

   1. Select a location, and on the **Actions**menu, choose **Edit**.

   1. Choose **Hybrid access mode**. 

   1. Choose **Save**. 

   1. Under Data Catalog, select the database or table and grant `Super` or `All` permissions to the virtual group called `IAMAllowedPrincipals`. 

   1.  Verify that your existing Lake Formation users' access is not interrupted when you updated the location registration properties. Sign in to Athena console as a Lake Formation principal and run a sample query on a table that is pointing to the updated location. 

      Similarly, verify the access of AWS Glue users who are using IAM permissions policies to access the database and tables.

------
#### [ AWS CLI ]

   Following is an example for registering a data location with Lake Formation with HybridAccessEnabled:true/false. Default value for the `HybridAccessEnabled` parameter is false. Replace Amazon S3 path, role name, and AWS account id with valid values.

   ```
   aws lakeformation update-resource --cli-input-json file://file path
   json:
   {
       "ResourceArn": "arn:aws:s3:::<s3-path>",
       "RoleArn": "arn:aws:iam::<123456789012>:role/<test>",
       "HybridAccessEnabled": true
   }
   ```

------

# Sharing an AWS Glue resource using hybrid access mode
<a name="hybrid-access-mode-cross-account"></a>

Share data with another AWS account or a principal in another AWS account enforcing Lake Formation permissions without interrupting existing Data Catalog users' IAM based access. 

Scenario description - The producer account has a Data Catalog database that has access controlled using IAM principal policies for Amazon S3 and AWS Glue actions. The data location of the database is not registered with Lake Formation. The `IAMAllowedPrincipals` group, by default, has `Super` permissions on the database and all its tables. 

**Granting cross-account Lake Formation permissions in hybrid access mode**

1. 

**Producer account set up**

   1. Sign in to the Lake Formation console using a role that has `lakeformation:PutDataLakeSettings` IAM permission.

   1. Go to **Data Catalog settings**, and choose `Version 4` for the **Cross account version settings**.

      If you're currently using version 1 or 2, see [Updating cross-account data sharing version settings](optimize-ram.md) instructions on updating to version 3. 

      There are no permission policy changes required when upgrading from version 3 to 4.

   1. Register the Amazon S3 location of the database or table that you're planning to share in hybrid access mode.

   1. Verify that `Super` permission to the `IAMAllowedPrincipals` group exists on the databases and tables of which you registered the data location in hybrid access mode in the above step. 

   1. Grant Lake Formation permissions to AWS organizations, organizational units (OUs), or directly with an IAM principal in another account.

   1. If you're granting permissions directly to an IAM principal, opt in the principal from the consumer account to enforce Lake Formation permissions in hybrid access mode by enabling the option **Make Lake Formation permissions effective immediately**.

       If you're granting cross-account permissions to another AWS account, when you opt in the account, Lake Formation permissions are enforced only for the admins of that account. The recipient account data lake administrator need to cascade down the permissions and opt in the principals in the account to enforce Lake Formation permissions for the shared resources that are in hybrid access mode.

      If you choose **Resources matched by LF-Tags** option to grant cross-account permissions, you need to first complete granting permissions step. You can opt in principals and resources to hybrid access mode as a separate step by choosing **Hybrid access mode** under Permissions on the left-navigation bar of the Lake Formation console. Then choose **Add** to add the resources and principals that you want to enforce Lake Formation permissions. 

1. 

**Consumer account set up**

   1. Sign in to the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/) as a data lake administrator.

   1. Go to [https://console.aws.amazon.com/ram/home](https://console.aws.amazon.com/ram/home), and accept the resource share invitation. The **Shared with me** tab in the AWS RAM console displays the database and tables that are shared with your account.

   1.  Create a resource link to the shared database and/or table in Lake Formation.

   1.  Grant `Describe` permission on resource link and `Grant on target` permission (on the original shared resource) to the IAM principals in your (consumer) account. 

   1.  Grant Lake Formation permissions on the database or table shared with you to the principals in your account. Opt in the principals and resources to enforce Lake Formation permissions in hybrid access mode by enabling the option **Make Lake Formation permissions effective immediately**.

   1.  Test the principal's Lake Formation permissions by running sample Athena queries. Test the existing access of your AWS Glue users with IAM principal policies for Amazon S3 and AWS Glue actions.

      (Optional) Remove the Amazon S3 bucket policy for data access and IAM principal policies for AWS Glue and Amazon S3 data access for the principals that you configured to use Lake Formation permissions.

# Sharing a Lake Formation resource using hybrid access mode
<a name="hybrid-access-mode-cross-account-IAM"></a>

Allow new Data Catalog users in an external account to access Data Catalog databases and tables using IAM based policies without interrupting the existing Lake Formation cross-account sharing permissions.

Scenario description - The producer account has Lake Formation managed database and tables that are shared with an external (consumer) account at account-level or IAM principal-level. The data location of the database is registered with Lake Formation. The `IAMAllowedPrincipals` group does not have `Super` permissions on the database and its tables. 

**Granting cross-account access to new Data Catalog users via IAM based policies without interrupting existing Lake Formation permissions**

1. 

**Producer account set up**

   1. Sign in to the Lake Formation console using a role that `lakeformation:PutDataLakeSettings`. 

   1. Under **Data Catalog settings**, choose `Version 4` for the **Cross account version settings**.

      If you're currently using version 1 or 2, see [Updating cross-account data sharing version settings](optimize-ram.md) instructions on updating to version 3. 

      There are no permission policy changes required to upgrade from version 3 to 4.

   1. List the permissions you’ve granted to principals on databases and tables. For more information, see [Viewing database and table permissions in Lake Formation](viewing-permissions.md). 

   1.  Regrant existing Lake Formation cross- account permissions by opting in principals and resources.
**Note**  
Before updating a data location registration to hybrid access mode to grant cross-account permissions, you need to regrant at least one cross-account data share per account. This step is necessary to update the AWS RAM managed permissions attached to the AWS RAM resource share.  
In July 2023, Lake Formation has updated the AWS RAM managed permissions used for sharing databases and tables:  
`arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueAllTablesReadWriteForDatabase` (database-level share policy)
`arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueTableReadWrite` (table-level share policy) 
The cross-account permission grants made before July 2023 don't have these updated AWS RAM permissions.   
If you've granted cross-account permissions directly to principals, you need to individually regrant those permissions to the principals. If you skip this step, the principals accessing the shared resource might get an illegal combination error. 

   1. Go to [https://console.aws.amazon.com/ram/home](https://console.aws.amazon.com/ram/home). 

   1. The **Shared by me** tab in the AWS RAM console displays the database and table names that you've shared with an external account or principal.

       Ensure that the permissions attached to the shared resource has the correct ARN. 

   1. Verify the resources in the AWS RAM share are in `Associated` status. If the status shows as `Associating`, wait until they go into `Associated` state. If the status becomes `Failed`, stop and contact Lake Formation service team. 

   1. Choose **Hybrid access mode** under **Permissions** from the left navigation bar, and choose **Add**. 

   1.  The **Add principals and resources** page shows the databases, and/or tables and the principals that have access. You can make the required updates by adding or removing principals and resources.

   1.  Choose the principals with Lake Formation permissions for the database and tables that you want to change to hybrid access mode. Choose the databases and tables. 

   1.  Choose **Add** to opt in the principals to enforce Lake Formation permissions in hybrid access mode.

   1.  Grant `Super` permission to the virtual group `IAMAllowedPrincipals` on your database and selected tables. 

   1. Edit the Amazon S3 location Lake Formation registration to hybrid access mode.

   1. Grant permissions for the AWS Glue users in the external (consumer) account using IAM permission policies for Amazon S3 AWS Glue actions. 

1. 

**Consumer account set up**

   1. Sign in to the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/) as a data lake administrator. 

   1. Go to [https://console.aws.amazon.com/ram/home](https://console.aws.amazon.com/ram/home) and accept the resource share invitation. The **Resources shared with me** tab in the AWS RAM page displays the database and table names that are shared with your account.

       For the AWS RAM share, ensure that the attached permission has the correct ARN of the shared AWS RAM invite. Check if the resources in the AWS RAM share are in `Associated` status. If the status shows as `Associating`, wait until they go into `Associated` state. If the status becomes `Failed`, stop and contact Lake Formation service team. 

   1.  Create a resource link to the shared database and/or table in Lake Formation.

   1.  Grant `Describe` permission on resource link and `Grant on target` permission (on the original shared resource) to the IAM principals in your (consumer) account. 

   1. Next, set up Lake Formation permissions for principals in your account on the shared database or table.

      On the left navigation bar, under **Permissions**, choose **Hybrid access mode**.

   1.  Choose **Add** in the lower section of the **Hybrid access mode** page to opt in the principals and the database or table shared with you from the producer account.

   1.  Grant permissions for the AWS Glue users in your account using IAM permission policies for Amazon S3 AWS Glue actions. 

   1.  Test users' Lake Formation permissions and AWS Glue permissions by running separate sample queries on the table using Athena

      (Optional) Clean up IAM permission policies for Amazon S3 for the principals that are in the hybrid access mode.

# Removing principals and resources from hybrid access mode
<a name="delete-hybrid-access"></a>

 Follow these steps to remove databases, tables, and principals from hybrid access mode. 

------
#### [ Console ]

1. Sign in to the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

1. Under **Permissions**, choose **Hybrid access mode**.

1.  On the **Hybrid access mode** page, select the checkbox next to the database or table name and choose `Remove`. 

1. A warning message prompts you to confirm the action. Choose **Remove**.

   Lake Formation no longer enforces permissions for those resources, and access to this resource will be controlled using IAM and AWS Glue permissions. This may cause the user to no longer have access to this resource if they don't have the appropriate IAM permissions. 

------
#### [ AWS CLI ]

 The following example shows how to remove resources from hybrid access mode. 

```
aws lakeformation delete-lake-formation-opt-in --cli-input-json file://file path

json:
{
    "Principal": {
        "DataLakePrincipalIdentifier": "arn:aws:iam::<123456789012>:role/role name"
    },
    "Resource": {
        "Table": {
            "CatalogId": "<123456789012>",
            "DatabaseName": "<database name>",
            "Name": "<table name>"
          }
    }
}
```

------

# Viewing principals and resources in hybrid access mode
<a name="view-hybrid-access"></a>

 Follow these steps to view databases, tables, and principals in hybrid access mode. 

------
#### [ Console ]

1. Sign in to the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

1. Under **Permissions**, choose **Hybrid access mode**.

1.  The **Hybrid access mode** page shows the resources and principals that are currently in hybrid access mode.. 

------
#### [ AWS CLI ]

 The following example shows how to list all opt in principals and resources that are in hybrid access mode. 

```
      
aws lakeformation list-lake-formation-opt-ins
```

 The following example shows how to list opt in for a specific principal-resource pair.

```
aws lakeformation list-lake-formation-opt-ins --cli-input-json file://file path

json:
{
    "Principal": {
        "DataLakePrincipalIdentifier": "arn:aws:iam::<account-id>:role/<role name>"
    },
    "Resource": {
        "Table": {
            "CatalogId": "<account-id>",
            "DatabaseName": "<database name>",
            "Name": "<table name>"
          }
    }
}
```

------

# Additional resources
<a name="additional-resources-hybrid"></a>

In the following blog post, we walk you through the instructions to onboard Lake Formation permissions in hybrid access mode for selected users while the database is already accessible to other users through IAM and Amazon S3 permissions. We will review the instructions to set up hybrid access mode within an AWS account and between two accounts. 
+ [ Introducing hybrid access mode for AWS Glue Data Catalog to secure access using Lake Formation and IAM and Amazon S3 policies. ](https://aws.amazon.com/blogs/big-data/introducing-hybrid-access-mode-for-aws-glue-data-catalog-to-secure-access-using-aws-lake-formation-and-iam-and-amazon-s3-policies/)