Security

The Atlan Lakehouse uses multiple layers of security controls to protect your data. Security operates at three levels: catalog access, data file protection, and user permissions.

What security layers protect Lakehouse?

Security operates at three levels: catalog access, data file protection, and user permissions.

How are data files protected?

All data files and Iceberg metadata files are stored in an Atlan-managed object storage bucket. Data is encrypted at rest using the object storage service's default encryption, and all access to files is logged and tracked.

The object storage service matches the Atlan tenant's cloud provider. For example, if the Atlan tenant is deployed in AWS, data files and Iceberg metadata files are stored in an Amazon S3 bucket in Atlan's AWS account. Each tenant has a dedicated object storage bucket.

How does catalog access work?

The catalog is the single entry point for engines to query the Lakehouse. Data warehouses and query engines interact with the catalog through the Iceberg REST Catalog API.

At query time, the catalog gives authorized users the locations of the data files needed to execute the query and temporary credentials to access the object storage locations where the files reside.

Do existing account security policies apply?

The catalog inherits your existing account security policies. If you have configured IP allowlists for your Atlan account, those same restrictions apply to catalog access.

How are user permissions managed?

Once you have connected your Iceberg REST-compatible client to the Lakehouse, you can use the client's native access control capabilities to control who can access the Lakehouse. For example, if you use Snowflake, you can use Snowflake Role-Based Access Control capabilities to control which users or roles can access the Lakehouse and its objects. This lets you manage Lakehouse permissions using the same access control systems you already use for your data warehouse.