5.2. Authorization and Access Control

💡 First Principle: Authentication proves who you are; authorization decides what you're allowed to do. Think of it like a hotel key card — authentication gets you through the front door, but authorization determines which rooms your card opens. While IAM policies provide coarse-grained authorization (access to S3 buckets, Glue tables), Lake Formation provides fine-grained authorization (access to specific columns and rows within a table). The trade-off: IAM is simpler to manage but lacks data-level granularity; Lake Formation is more complex but enables column-level and row-level security.

Without proper authorization, what stops a junior analyst with read access to the data lake from seeing every employee's salary, every customer's SSN, and every financial record? In regulated industries, this isn't just a policy violation — it's a compliance catastrophe. Lake Formation's fine-grained access control solves this by letting you define "this role can see columns A, B, and C but not D" and "this role can only see rows where region = 'US'" — without modifying the underlying data or creating separate copies.