Amazon Security Lake and AWS Organizations
Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. By integrating with Organizations, you can create a data lake that collects logs and events across your accounts. For more information see Managing multiple accounts with AWS Organizations in the Amazon Security Lake user guide.
Use the following information to help you integrate Amazon Security Lake with AWS Organizations.
Service-linked roles created when you enable integration
The following service-linked role is automatically created in your organization's management account when you call the RegisterDataLakeDelegatedAdministrator API. This role allows Amazon Security Lake to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Amazon Security Lake and Organizations, or if you remove the member account from the organization.
-
AWSServiceRoleForSecurityLake
Recommendation: Use Security Lake's RegisterDataLakeDelegatedAdministrator API to allow Security Lake access to your Organization and to register Organizations's delegated administrator
If you use Organizations' APIs to register a delegated administrator, service-linked roles for the Organizations might not be created successfully. To ensure full functionality, use the Security Lake APIs.
Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon Security Lake grant access to the following service principals:
-
securitylake.amazonaws.com
Enabling trusted access with Amazon Security Lake
When you enable trusted access with Security Lake, Security Lake can react automatically to changes in the organization membership. The delegated administrator can enable AWS logs collection from supported services in any organization account. For more information, see Service-linked role for Amazon Security Lake in the Amazon Security Lake user guide.
For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.
You can only enable trusted access using the Organizations tools.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
Disabling trusted access with Amazon Security Lake
Only an administrator in the Organizations management account can disable trusted access with Amazon Security Lake.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
Enabling a delegated administrator account for Amazon Security Lake
The Amazon Security Lake delegated administrator adds other accounts in the organization as member accounts. The delegated administrator can enable Amazon Security Lake and configure Amazon Security Lake settings for the member accounts. The delegated administrator can collect logs across an organization in all AWS Regions where Amazon Security Lake is enabled (regardless of which Regional endpoint you're currently using).
You can also set up the delegated administrator to automatically add new accounts in the organization as members. The Amazon Security Lake delegated administrator has access to the logs and events in associated member accounts. Accordingly, you can set up Amazon Security Lake to collect data owned by associated member accounts. You can also grant subscribers permission to consume data owned by associated member accounts.
For more information see Managing multiple accounts with AWS Organizations in the Amazon Security Lake user guide.
Minimum permissions
Only an administrator in the Organizations management account can configure a member account as a delegated administrator for Amazon Security Lake in the organization
You can specify a delegated administrator account by using the Amazon Security Lake console, the Amazon Security Lake
CreateDatalakeDelegatedAdmin
API operation, or the create-datalake-delegated-admin
CLI command.
Alternatively, you can use the Organizations RegisterDelegatedAdministrator
CLI or SDK operation. For instructions about
enabling a delegated administrator account for Amazon Security Lake, see
Designating the delegated Security Lake administrator and adding member accounts in the Amazon Security Lake user guide.
Disabling a delegated administrator for Amazon Security Lake
Only an administrator in either the Organizations management account or the Amazon Security Lake delegated administrator account can remove a delegated administrator account from the organization.
You can remove the delegated administrator account by using the Amazon Security Lake
DeregisterDataLakeDelegatedAdministrator
API operation, the
deregister-data-lake-delegated-administrator
CLI command, or by using the Organizations
DeregisterDelegatedAdministrator
CLI or SDK operation. To remove a
delegated administrator using Amazon Security Lake, see Removing the
Amazon Security Lake delegated administrator in the
Amazon Security Lake user guide.