Accessing Amazon S3 Tables through Amazon Quick with AWS Lake Formation Permissions

praneym · April 23, 2026, 8:34pm

Amazon S3 Tables provide S3 storage that’s optimized for analytics workloads, with features designed to continuously improve query performance and reduce storage costs for tables. S3 Tables deliver the cloud object store with built-in Apache Iceberg support and streamline storing tabular data at scale. When combined with Amazon Quick’s visualization capabilities and AWS Lake Formation’s centralized permission model, organizations can build secure, performant analytics solutions on their data lake architecture.

This post demonstrates how to establish secure access to S3 Tables through Amazon Quick, leveraging Lake Formation to manage permissions at the catalog, database, and table levels. There are multiple steps involved in setting access permissions for Quick users via Lake Formation, including obtaining user identities through their Amazon Resource Names (ARNs), granting permissions to both user and service identities, and configuring the necessary IAM policies to enable catalog discovery.

Prerequisites

Before beginning this tutorial, ensure you have the following:

AWS account with Amazon Quick enabled
S3 Table bucket created and integrated with AWS analytics services
S3 Table namespace and at least one table created in S3 Tables
Amazon Athena configured with a query result location in Amazon S3
AWS CLI installed or access to AWS CloudShell
Administrative access to AWS Lake Formation, AWS Identity and Access Management (IAM), and Amazon Quick consoles
Lake Formation data lake settings configured with IAM access control turned OFF for the S3 Tables catalog (if “Use only IAM access control” is enabled, Lake Formation grants will not take effect)

Architecture Overview

The solution architecture involves three key AWS services working together. Amazon S3 Tables provides the storage layer with built-in Iceberg table format support. AWS Lake Formation manages permissions through a centralized governance model. Amazon Quick connects through Amazon Athena to query and visualize the data. The Quick service role and user identity both require Lake Formation grants to access the non-default S3 Tables catalog.

Figure-1: Architecture Diagram

Step 1: Obtain Your Quick User ARN

The Quick user ARN uniquely identifies your user account for permission management in Lake Formation. You can retrieve this ARN using either the AWS CLI or by constructing it manually from the Quick console.

Using AWS CLI:

Open AWS CloudShell or your local terminal with configured AWS credentials
Execute the following command, replacing the placeholders with your actual account ID, namespace, and region. The default value for namespace is “default”.

aws quicksight list-users --aws-account-id --namespace --region

The response returns a list of Quick users in your account. Locate your user entry and copy the ARN value, which follows this format:

arn:aws:quicksight:::user/<namespace>/<username>

Figure-2: CloudShell Command Execution

Alternative Console Method:

Navigate to the Quick console and click your user profile icon in the top right corner.
Note your username and region displayed in the profile menu.

Figure-3: Using Amazon Quick Console for Obtaining Username and Region

Construct the ARN manually using the format shown above, substituting your username, region, account ID, and namespace.

Save this ARN for use in the next step.

Step 2: Grant Lake Formation Permissions to Your Quick User

Now, you need to grant your Quick user access to the S3 Tables catalog, namespace, and tables.

Navigate to the AWS Lake Formation console and select Data permissions from the left navigation menu. Click the Grant button to create a new permission entry.
Configure the grant with the following settings:
- Principals Section: Select the principal type that matches your Quick identity configuration and paste the Quick user ARN obtained in Step 1. For this post, we’re using SAML users and groups, which is common in enterprise deployments with federated identity providers. This setting identifies which user receives the permissions.
- LF-Tags or Catalog Resources: Choose Named Data Catalog resources to grant permissions to specific catalog objects.
- Catalog: Select your S3 Tables catalog from the dropdown. The catalog name follows the pattern `:s3tablescatalog/`. AWS automatically creates this non-default catalog when you set up S3 Tables and is distinct from the standard AWSDataCatalog.
- Databases: Select the database corresponding to your table namespace. In S3 Tables, namespaces map to Glue Data Catalog databases.
- Tables: Choose the specific table you want to access, or select All tables to grant access to all tables within the namespace.

Figure-4: Lake Formation Grant Settings

Table Permissions: Check the following permissions:
- Select: Required for querying data from the table
- Describe: Required for viewing table metadata and schema information
- Leave Grantable permissions unchecked unless you need to delegate permission management to this user.
Click Grant to apply the permissions. Lake Formation processes the grant and makes the permissions effective immediately.

Figure-5: Lake Formation Table and Data Permission Grant

Step 3: Grant Lake Formation Permissions to the Quick Service Role

Beyond user-level permissions, the Quick service role requires its own Lake Formation grants. This role performs operations on behalf of Quick users when accessing AWS resources.

Return to the Data permissions page in Lake Formation and click Grant again to create another permission entry.
Configure this grant similarly to Step 2, with one key difference in the Principals section:
- Principals: Enter the Quick service role ARN instead of the user ARN. The service role typically follows this naming pattern. By default, Quick uses a role named `aws-quicksight-service-role-v0`. You can also define custom roles with required permissions.
- Catalog, Databases, Tables, and Permissions: Configure these identically to Step 2, selecting the same S3 Tables catalog, namespace, table, and granting Select and Describe permissions.

Figure-6: Lake Formation Grant for Quick Sight Service Role

Click Grant to apply the service role permissions.

Step 4: Add IAM Policy for S3 Tables Catalog Access

S3 Tables uses a non-default Glue catalog that requires an additional IAM permission beyond the Lake Formation grants. Without this permission, Quick cannot discover the S3 Tables catalog even with proper Lake Formation access.

Navigate to the IAM console.
Click Roles and locate the Quick service role identified in Step 3 (default value is `aws-quicksight-service-role-v0`).
Click on the role name to view its details, then select the Permissions tab.
Click Add permissions and choose Create inline policy. Switch to the JSON editor and paste the following policy statement.
- Replace and with your actual AWS region and account ID.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "glue:GetCatalog",
      "Resource": "arn:aws:glue:<region>:<account-id>:catalog/s3tablescatalog"
    }
  ]
}

Name the policy descriptively, such as “S3TablesGlueCatalogAccess”
Click Create policy to attach it to the service role.

This permission allows Quick to enumerate and access non-default Glue catalogs, which is essential for S3 Tables integration.

Step 5: Create a Quick Dataset Using Custom SQL

With permissions configured, you can now create a Quick dataset that queries your S3 Tables data. Because S3 Tables reside in a non-default catalog, you need to use custom SQL rather than the visual table browser at the time when is article is written.

Open the Quick console and navigate to Datasets in the left menu. From Data sources tab click Create data source to begin the creation process.
Select Amazon Athena as your data source. Athena provides the query engine that reads data from S3 Tables. Provide a descriptive name and click Create data source.

Figure-7: Athena Data Source Creation in Amazon Quick

Now navigate to Datasets tab and click Create dataset. Select the Athena data source. On the dataset configuration page, select Use custom SQL rather than choosing tables from the browser. The table browser only displays tables from the default AWSDataCatalog and cannot access S3 Tables.
In the custom SQL editor, enter a query using the fully qualified table name with the S3 Tables catalog path. The syntax requires double quotes around each component:

SELECT * FROM "s3tablescatalog/<table-bucket-name>"."<namespace>"."<table-name>"

Replace the placeholders with your actual table bucket name, namespace, and table name. For example:

SELECT * FROM "s3tablescatalog/my-analytics-bucket"."sales_data"."transactions"

You can also write more complex SQL queries with WHERE clauses, JOINs, and aggregations as needed for your analysis.
Click Confirm query to execute the query.
Click Edit/Preview data to display a preview of the data, showing the first several rows and all columns. Verify that the columns and data types appear correctly.

Figure-8: Custom SQL Query for S3-Table Dataset Creation

With your data preview confirmed, the next step is to configure how Quick will store and query this data going forward:
- Query Mode: Select SPICE for optimal performance. SPICE is Quick’s in-memory calculation engine that provides sub-second query response times. SPICE imports the data from S3 Tables and stores it in an optimized columnar format. Alternatively, select Direct query if you need real-time data access without importing, though this results in slower query performance.
- Dataset Name:** Provide a descriptive name that identifies the data source and purpose, such as “S3 Tables - Sales Transactions”.
Click Save & publish to create the dataset. If you selected SPICE mode, Quick begins importing the data. The import time depends on the data volume, but typically completes within minutes for datasets under 1GB.

With your S3 Tables dataset now available in Amazon Quick, you can leverage it to create interactive visualizations, AI-powered dashboards, natural language Quick Sight Topics, custom Quick chat agents, automated workflows with Quick Flows, and organize everything within collaborative Quick spaces — transforming your data into an active intelligence platform for your organization.

Conclusion

This post demonstrated how to configure secure access to Amazon S3 Tables through Amazon Quick using AWS Lake Formation for centralized permission management. By following these steps, you established access controls, created datasets using custom SQL queries, and enabled your organization to build visualizations, dashboards, and agentic components on S3 Tables data using Amazon Quick.

Additional Resources

Authors

Praney Mahajan is a Senior Technical Account Manager at AWS who partners with key enterprise customers as their strategic advisor. He is passionate about bridging technical solutions with business outcomes. He enjoys going on long drives with his family and playing cricket in his free time.

Rahul Sonawane is a Principal Specialty Solutions Architect – GenAI/ML and Analytics at Amazon Web Services.

Raj Balani is a Solutions Architect at Amazon Web Services. She enjoys exploring new cloud architectures and helping customers navigate their cloud journey with innovative solutions

Topic		Replies	Views
Access Denied when creating a new dataset with Athena Q&A feature-request , quick-sight , dataset	13	3961	March 9, 2023
S3 Tables through Athena querying - Catalog not found Q&A developer , error , quick-sight	2	663	August 25, 2025
No matter what I try, I cannot see my glue crawler created tables in an Athena connection Q&A admin , data-source , quick-sight , navigation-and-user-experience , athena , tables	19	2749	October 30, 2023
Permissions for dataset ingestions Q&A admin , error , quick-sight , security	5	680	February 1, 2024
Quick Sight permission on LakeFormation cross-region in the same account Q&A admin , super-admin , quick-sight	1	778	October 10, 2024