 [AWS::LakeFormation::BatchPrincipalPermissions] - [Missing Resource]

### Name of the resource

Other

### Resource name

AWS::LakeFormation::BatchPrincipalPermissions

### Description

 AWS Lake Formation provides `BatchGrantPermissions` and `BatchRevokePermissions` APIs that enable bulk permission operations and prevent `ConcurrentModificationException` errors that occur
  with individual permission grants. However, CloudFormation currently only supports individual permission operations through `AWS::LakeFormation::PrincipalPermissions`.

  This creates a significant limitation for production deployments where multiple Lake Formation permissions need to be granted simultaneously, as individual `GrantPermissions` calls can fail
  with concurrent modification exceptions.

  **Problem scenario**:
  When deploying Lake Formation permissions for 10+ users/groups, CloudFormation stacks fail with:
  ConcurrentModificationException: Permission update/Delete failed for Resource

  **AWS Service APIs that need CloudFormation support**:
  - [`BatchGrantPermissions`](https://docs.aws.amazon.com/lake-formation/latest/api/API_BatchGrantPermissions.html)
  - [`BatchRevokePermissions`](https://docs.aws.amazon.com/lake-formation/latest/api/API_BatchRevokePermissions.html)

  **Proposed CloudFormation resource**:
  `AWS::LakeFormation::BatchPrincipalPermissions` with properties:
  - `GrantEntries` (array of permission entries)
  - `RevokeEntries` (array of permission entries)

  **Current workaround limitations**:
  - Must use `AWS::CloudFormation::CustomResource` with Lambda functions
  - Increases deployment complexity and maintenance overhead
  - No native CloudFormation lifecycle management

  **Downstream impact**:
  - Enables AWS CDK to provide L2 constructs for reliable Lake Formation permission management
  - Related CDK feature request: [aws/aws-cdk#36215](https://github.com/aws/aws-cdk/issues/36215)

  **AWS Documentation references**:
  - [Troubleshooting ConcurrentModificationException](https://docs.aws.amazon.com/lake-formation/latest/dg/troubleshooting.html#troubleshooting-problem6)
  - AWS officially recommends using batch APIs to solve concurrent modification issues

  Describe the scope of your request

  **Category**: **(b) new resource type for an existing service is desired**

  **Service**: AWS Lake Formation (existing service with CloudFormation support)

  **Requested new resource type**: `AWS::LakeFormation::BatchPrincipalPermissions`

  **Scope**: Add CloudFormation resource type that maps to existing AWS Lake Formation batch permission APIs (`BatchGrantPermissions` and `BatchRevokePermissions`).

  **Justification**:
  - AWS Lake Formation service already provides these batch APIs
  - Current `AWS::LakeFormation::PrincipalPermissions` only supports individual operations
  - Batch operations are AWS-recommended solution for avoiding concurrent modification exceptions
  - No CloudFormation resource currently exists for bulk permission management


  This would enable reliable Lake Formation deployments at scale without custom resource workarounds.

### Other Details

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[AWS::LakeFormation::BatchPrincipalPermissions] - [Missing Resource] #2432

Name of the resource

Resource name

Description

Other Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[AWS::LakeFormation::BatchPrincipalPermissions] - [Missing Resource] #2432

Description

Name of the resource

Resource name

Description

Other Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions