Which solution will meet these requirements with the LEAST operational overhead?
Copy the required data to a common account. Create an IAM access role in that account. Grant access by specifying a permission policy that includes users from the engineering team accounts as trusted entities.
Use the Lake Formation permissions Grant command in each account where the data is stored to allow the required engineering team users to access the data.
Use AWS Data Exchange to privately publish the required data to the required engineering team accounts.
Use Lake Formation tag-based access control to authorize and grant cross-account permissions for the required data to the engineering team accounts.
Explanations:
Copying data to a common account introduces unnecessary operational overhead for data management and duplication. This option also complicates permissions management and does not leverage Lake Formation’s capabilities.
Granting permissions in each account individually is cumbersome and leads to increased operational overhead. This method requires manual permission management across multiple accounts, making it less efficient for data sharing.
AWS Data Exchange is designed for external data sharing and is not optimized for internal sharing of data across different accounts within the same organization. It adds complexity and may not meet the secure internal sharing needs.
Lake Formation’s tag-based access control simplifies cross-account permissions by allowing centralized management of access policies based on tags. This minimizes operational overhead while providing secure, granular access to the data for the engineering team.
From what I’ve heard, the answer is:
Use Lake Formation tag-based access control to authorize and grant cross-account permissions for the required data to the engineering team accounts.