You are standardizing governance for multi‑account S3 data accessed by Databricks on AWS. Teams want central grants with column‑level rules and temporary credentials. What is the most aligned baseline?

The baseline is to use bucket policies per team and store grants in a DynamoDB entitlements table. Create a bucket policy that grants each team’s IAM role read/write access to the relevant S3 prefixes. Store fine‑grained column‑level permissions in a DynamoDB table keyed by table name and column, mapping to the IAM role or Databricks group. When a user needs temporary access, generate a short‑lived IAM role via AWS STS that includes the bucket policy and a policy that references the DynamoDB table for column rules. Databricks can then use Unity Catalog or a custom catalog layer to enforce these column rules at query time. This approach centralizes access control, supports temporary credentials, and scales across multiple AWS accounts while keeping the policy logic in a single, queryable table.