Which AWS service provides governance and fine-grained access to data in a data lake?

Controlling who can access what data in a data lake with fine-grained permissions is the main idea. Lake Formation provides centralized governance for a data lake, letting you manage permissions directly on the data catalog objects (databases, tables, and even individual columns) and on the actual data locations in S3. It works with IAM for identities, but it enforces data-level access rules across the lake, so you can grant a role permission to SELECT from a specific table while restricting access to certain columns or rows, and you can apply masking or other data-protection rules. This makes it the best fit for governance and fine-grained access across the data lake, beyond what basic IAM permissions alone can offer. IAM controls who can call AWS services and access resources, KMS handles encryption keys, and Macie focuses on discovering and classifying sensitive data rather than controlling data-lake access.