Data Lake Zone Governance Config
YAML governance blueprint defining raw/curated/consumption zones, IAM access policies, retention, classification tags, and data quality enforcement. Adapt for Lake Formation or IaC deployment.
Data LakeAdvancedYAML
Code preview
99 linesReplace {{PLACEHOLDERS}} with your environment values, then deploy to your stack.
# =============================================================================
# DATA LAKE ZONE GOVERNANCE CONFIGURATION
# Plug in your AWS account, bucket, and team values. Use with Terraform,
# CloudFormation, or as a reference for Lake Formation / IAM policies.
# =============================================================================
account_id: "{{AWS_ACCOUNT_ID}}" # e.g. "123456789012"
environment: "{{ENVIRONMENT}}" # dev | staging | prod
data_domain: "{{DATA_DOMAIN}}" # e.g. finance, product, marketing
owner_team: "{{OWNER_TEAM}}" # e.g. data-platform
cost_center: "{{COST_CENTER}}" # e.g. CC-1042
storage:
bucket: "{{BUCKET_NAME}}" # e.g. acme-data-lake-prod
kms_key_arn: "{{KMS_KEY_ARN}}"
zones:
raw:
prefix: "raw/{{DATA_DOMAIN}}/"
retention_days: 365
allow_write_roles:
- "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{INGESTION_ROLE}}"
allow_read_roles:
- "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{PLATFORM_ADMIN_ROLE}}"
classification: internal
pii_allowed: true
encryption: sse-kms
curated:
prefix: "curated/{{DATA_DOMAIN}}/"
retention_days: 730
allow_write_roles:
- "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{ETL_ROLE}}"
allow_read_roles:
- "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{ANALYTICS_ROLE}}"
- "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{ML_ROLE}}"
classification: confidential
pii_allowed: false # must be masked/tokenized before landing
encryption: sse-kms
required_tags:
- domain
- owner
- data_classification
consumption:
prefix: "consumption/{{DATA_DOMAIN}}/"
retention_days: 365
allow_write_roles:
- "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{DBT_ROLE}}"
allow_read_roles:
- "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{BI_ROLE}}"
classification: internal
pii_allowed: false
catalog:
database: "{{GLUE_DATABASE}}" # e.g. acme_curated_prod
table_naming_convention: "{zone}_{domain}_{entity}"
required_metadata:
- owner_email
- description
- grain
- refresh_cadence
- upstream_sources
access_policies:
- name: domain_self_service_read
effect: allow
principals:
- "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{ANALYTICS_ROLE}}"
actions:
- s3:GetObject
- glue:GetTable
- glue:GetPartitions
resources:
- "arn:aws:s3:::{{BUCKET_NAME}}/consumption/{{DATA_DOMAIN}}/*"
- "arn:aws:glue:{{AWS_REGION}}:{{AWS_ACCOUNT_ID}}:table/{{GLUE_DATABASE}}/*"
- name: deny_public_access
effect: deny
principals: ["*"]
// ... download full template for remaining codeAbout this template
YAML governance blueprint defining raw/curated/consumption zones, IAM access policies, retention, classification tags, and data quality enforcement. Adapt for Lake Formation or IaC deployment.
data lakegovernanceiamyamlaccess control
Downloads52
Reviews0
Rating-
CreatedJul 2, 2026
UpdatedJul 2, 2026