Lake Formation workflow of RDS & S3

🌊 Goal:

Create a data lake that combines data from:

• Amazon RDS (relational database)
• Amazon S3 (object storage for large-scale analytics)

You’ll then use AWS Lake Formation to centrally manage data access and security — without manually writing IAM policies or complex permissions.

🔧 Step-by-Step Breakdown

1️⃣ Create a Data Lake with Lake Formation

Lake Formation is built on top of AWS Glue and Amazon S3 — it helps you:

• Catalog all your data sources (S3, RDS, Redshift, etc.)
• Define fine-grained access controls (at the table, column, or row level)
• Use a single, centralized permission model for analytics services (like Athena, Redshift Spectrum, EMR, Glue)

How:

• In the Lake Formation console, register your data lake location (usually an S3 bucket or a prefix, e.g. s3://company-data-lake/).
• Lake Formation creates a data catalog (via AWS Glue Data Catalog) that tracks where data lives and its schema.

2️⃣ Create an AWS Glue JDBC Connection to Amazon RDS

JDBC ( Java Database Connectivity )

It’s a standard protocol that lets software applications connect to databases — regardless of the database vendor (MySQL, PostgreSQL, Oracle, SQL Server, etc.).

This allows AWS Glue (and by extension, Lake Formation) to connect directly to your Amazon RDS database and crawl or extract metadata.

How:

• In AWS Glue, go to Connections → Add connection
• Choose JDBC
• Enter your RDS endpoint, database name, username, and password (stored securely in AWS Secrets Manager)
• Ensure your Glue job or crawler runs in the same VPC as your RDS instance, or that it has network access.

Result: Glue can now read schema and data from RDS tables.

3️⃣ Register the S3 Bucket in Lake Formation

This step “tells” Lake Formation that this S3 bucket is part of your managed data lake.

Why it matters:

• Lake Formation then enforces fine-grained access controls on that bucket.
• Any other AWS analytics service (Athena, Redshift Spectrum, etc.) must check Lake Formation permissions before reading that S3 data.

How:

• In Lake Formation → Data lake locations → Register location
• Choose your S3 bucket (e.g., s3://company-data-lake/)
• Assign a “data lake administrator” who can manage permissions.

4️⃣ Use Lake Formation Access Controls

Now you can define who can see or query what data.

Examples:

• Allow the data science team to read only the sales table.
• Allow auditors to read only the transactions table, but hide the customer_email column.
• Allow marketing to query summary tables but not raw data.

Lake Formation integrates with:

• Amazon Athena
• Amazon Redshift Spectrum
• Amazon EMR
• AWS Glue

Each of these services checks Lake Formation permissions before accessing data.

🔒 Access Control Example

💡 Why this Architecture?

• ✅ Centralized data governance — fine-grained permissions, all permissions managed in Lake Formation.
• ✅ Unified analytics — combine RDS (structured data) and S3 (semi/unstructured data).
• ✅ Scalable & cost-effective — query with Athena or Redshift Spectrum directly on S3.
• ✅ Minimal coding — Glue handles schema discovery; Lake Formation handles permissions.

          ┌───────────────────────┐
          │ Amazon RDS (MySQL)    │
          │ Customer Data          │
          └──────────┬────────────┘
                     │ JDBC Connection (AWS Glue)
                     ▼
             ┌───────────────────────────┐
             │ AWS Glue Data Catalog      │
             │ Metadata for RDS + S3      │
             └──────────┬────────────────┘
                        │
                        ▼
             ┌───────────────────────────┐
             │ AWS Lake Formation         │
             │ - Unified Data Lake        │
             │ - Fine-grained access ctrl │
             └──────────┬────────────────┘
                        │
          ┌─────────────┴────────────────────┐
          │       Amazon Athena / BI Tools   │
          │     Query Across RDS + S3 Data   │
          └─────────────────────────────────┘