Data Lake Zone Governance Config

YAML governance blueprint defining raw/curated/consumption zones, IAM access policies, retention, classification tags, and data quality enforcement. Adapt for Lake Formation or IaC deployment.

Data LakeAdvancedYAML

Code preview

99 lines

Replace {{PLACEHOLDERS}} with your environment values, then deploy to your stack.

# =============================================================================
# DATA LAKE ZONE GOVERNANCE CONFIGURATION
# Plug in your AWS account, bucket, and team values. Use with Terraform,
# CloudFormation, or as a reference for Lake Formation / IAM policies.
# =============================================================================

account_id: "{{AWS_ACCOUNT_ID}}"           # e.g. "123456789012"
environment: "{{ENVIRONMENT}}"             # dev | staging | prod
data_domain: "{{DATA_DOMAIN}}"             # e.g. finance, product, marketing
owner_team: "{{OWNER_TEAM}}"               # e.g. data-platform
cost_center: "{{COST_CENTER}}"             # e.g. CC-1042

storage:
  bucket: "{{BUCKET_NAME}}"                # e.g. acme-data-lake-prod
  kms_key_arn: "{{KMS_KEY_ARN}}"

zones:
  raw:
    prefix: "raw/{{DATA_DOMAIN}}/"
    retention_days: 365
    allow_write_roles:
      - "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{INGESTION_ROLE}}"
    allow_read_roles:
      - "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{PLATFORM_ADMIN_ROLE}}"
    classification: internal
    pii_allowed: true
    encryption: sse-kms

  curated:
    prefix: "curated/{{DATA_DOMAIN}}/"
    retention_days: 730
    allow_write_roles:
      - "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{ETL_ROLE}}"
    allow_read_roles:
      - "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{ANALYTICS_ROLE}}"
      - "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{ML_ROLE}}"
    classification: confidential
    pii_allowed: false          # must be masked/tokenized before landing
    encryption: sse-kms
    required_tags:
      - domain
      - owner
      - data_classification

  consumption:
    prefix: "consumption/{{DATA_DOMAIN}}/"
    retention_days: 365
    allow_write_roles:
      - "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{DBT_ROLE}}"
    allow_read_roles:
      - "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{BI_ROLE}}"
    classification: internal
    pii_allowed: false

catalog:
  database: "{{GLUE_DATABASE}}"            # e.g. acme_curated_prod
  table_naming_convention: "{zone}_{domain}_{entity}"
  required_metadata:
    - owner_email
    - description
    - grain
    - refresh_cadence
    - upstream_sources

access_policies:
  - name: domain_self_service_read
    effect: allow
    principals:
      - "arn:aws:iam::{{AWS_ACCOUNT_ID}}:role/{{ANALYTICS_ROLE}}"
    actions:
      - s3:GetObject
      - glue:GetTable
      - glue:GetPartitions
    resources:
      - "arn:aws:s3:::{{BUCKET_NAME}}/consumption/{{DATA_DOMAIN}}/*"
      - "arn:aws:glue:{{AWS_REGION}}:{{AWS_ACCOUNT_ID}}:table/{{GLUE_DATABASE}}/*"

  - name: deny_public_access
    effect: deny
    principals: ["*"]

// ... download full template for remaining code

About this template

YAML governance blueprint defining raw/curated/consumption zones, IAM access policies, retention, classification tags, and data quality enforcement. Adapt for Lake Formation or IaC deployment.

data lakegovernanceiamyamlaccess control
Downloads52
Reviews0
Rating-
CreatedJul 2, 2026
UpdatedJul 2, 2026
Login to review