Study DEA-C01 Authorization, Least Privilege and Lake Formation: key concepts, common traps, and exam decision cues.
This lesson is about who is allowed to do what. DEA-C01 expects you to move beyond “just give broad access” and toward custom policies, role-based decisions, tag-based or attribute-based access, and data-lake authorization through Lake Formation.
Authorization: Decision about what an already identified principal is allowed to do.
Lake Formation grant: Permission model for governed data-lake resources such as databases, tables, and columns.
Least privilege: Grant only the actions and resources needed for the specific workload or user.
AWS wants you to separate:
DEA-C01 often hides the right answer behind “the user can already sign in.” The real question is usually which layer should grant the data access and how narrow that grant should be.
| Requirement | Strongest first fit | Why |
|---|---|---|
| managed policies are too broad for the workload | custom IAM policy | DEA-C01 expects narrower access when the requirement is specific |
| analytics access must be governed over lake resources | Lake Formation permissions | The control point is the governed data layer |
| access should be narrowed by role or attribute | least-privilege policy design | The requirement is selective authorization, not convenience |
| a principal needs AWS service access beyond the lake itself | IAM role and policy | IAM remains the base AWS permission layer |
| If the stem emphasizes… | Think first | Why this fits |
|---|---|---|
| baseline AWS service access | IAM roles and policies | IAM is still the base AWS permission layer |
| table, database, or column-level governed lake access | Lake Formation grants | The control point is the data lake itself |
| overly broad permissions that need narrowing | least-privilege policy design | The issue is scope reduction |
| a user can authenticate but should only query specific governed data | narrow IAM plus Lake Formation grants | Both layers matter |
flowchart LR
A["Principal"] --> B["IAM role or policy"]
B --> C{"Needs governed lake data?"}
C -->|Yes| D["Lake Formation grants"]
C -->|No| E["Other AWS service access"]
D --> F["Databases, tables, columns"]
The key thing to notice is that IAM and Lake Formation do different jobs. IAM can allow the principal into the AWS control plane, while Lake Formation can further govern which data resources are actually visible and usable.
| Question | IAM | Lake Formation |
|---|---|---|
| Main job | AWS identity and baseline permission control | fine-grained governance over data-lake resources |
| Strongest first when | the principal needs AWS service permissions broadly | the requirement is about databases, tables, columns, or governed sharing |
| Common trap | giving broad IAM and assuming governance is done | assuming Lake Formation replaces every other IAM decision |
When authorization answers overlap, use this order:
| Bad pattern | Stronger DEA-C01 reading |
|---|---|
| grant admin because it is faster | write a narrower policy or grant only the required scope |
| give table-wide access when only a subset is needed | scope the permission as tightly as the requirement allows |
| assume one analytics team needs the same access as another | treat access by role, purpose, and data boundary |
| let governance lag behind delivery speed | build authorization into the platform path itself |
| Situation | Stronger first answer |
|---|---|
| managed policies are close but still too broad | custom IAM policy |
| user can access AWS but should only query governed lake resources | Lake Formation grants layered on narrow IAM |
| the requirement is for fine-grained data sharing | Lake Formation, not only bucket-level thinking |
| a team asks for admin because it is simpler | least-privilege narrowing instead |
| Trap | Better reading |
|---|---|
| “Managed policy is close enough.” | If it is still too broad, a custom policy is usually the stronger answer. |
| “IAM already allowed the role, so the data is governed.” | DEA-C01 often expects an extra data-governance control such as Lake Formation. |
| “Lake Formation is just another storage bucket setting.” | It is a governance and authorization layer for the data lake. |
| “Least privilege means inconvenience.” | On the exam, least privilege is usually the secure default, not an edge-case burden. |
A data engineering team can already authenticate into AWS, but analysts should only query specific governed datasets and should not receive broad lake-wide access. What is the strongest reading first?
Correct answer: B. DEA-C01 expects layered authorization, where IAM stays narrow and Lake Formation grants govern access to the actual lake resources.