CreateSubscriber - Amazon Security Lake


Creates a subscription permission for accounts that are already enabled in Amazon Security Lake. You can create a subscriber with access to data in the current AWS Region.

Request Syntax

POST /v1/subscribers HTTP/1.1 Content-type: application/json { "accessTypes": [ "string" ], "accountId": "string", "externalId": "string", "sourceTypes": [ { "awsSourceType": "string", "customSourceType": "string" } ], "subscriberDescription": "string", "subscriberName": "string" }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.


The Amazon S3 or AWS Lake Formation access type.

Type: Array of strings

Valid Values: LAKEFORMATION | S3

Required: No


The AWS account ID used to access your data.

Type: String

Length Constraints: Fixed length of 12.

Pattern: ^\d+$

Required: Yes


The external ID of the subscriber. This lets the user that is assuming the role assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances.

Type: String

Pattern: ^[\\\w\-_:/.@=+]*$

Required: Yes


The supported AWS services from which logs and events are collected. Security Lake supports log and event collection for natively supported AWS services.

Type: Array of SourceType objects

Required: Yes


The description for your subscriber account in Security Lake.

Type: String

Pattern: ^[\\\w\-_:/.@=+]*$

Required: No


The name of your Security Lake subscriber account.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 64.

Required: Yes

Response Syntax

HTTP/1.1 200 Content-type: application/json { "roleArn": "string", "s3BucketArn": "string", "snsArn": "string", "subscriptionId": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


The Amazon Resource Name (ARN) created by you to provide to the subscriber. For more information about ARNs and how to use them in policies, see Amazon Security Lake User Guide.

Type: String

Pattern: ^arn:.*


The ARN for the Amazon S3 bucket.

Type: String


The ARN for the Amazon Simple Notification Service.

Type: String


The subscriptionId created by the CreateSubscriber API call.

Type: String

Pattern: [a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}


For information about the errors that are common to all actions, see Common Errors.


You do not have sufficient access to perform this action. Access denied errors appear when Amazon Security Lake explicitly or implicitly denies an authorization request. An explicit denial occurs when a policy contains a Deny statement for the specific AWS action. An implicit denial occurs when there is no applicable Deny statement and also no applicable Allow statement.

HTTP Status Code: 403


Amazon Security Lake cannot find an AWS account with the accountID that you specified, or the account whose credentials you used to make this request isn't a member of an organization.

HTTP Status Code: 403


Amazon Security Lake generally returns 404 errors if the requested object is missing from the bucket.

HTTP Status Code: 409


A conflicting subscription exception operation is in progress.

HTTP Status Code: 400


Internal service exceptions are sometimes caused by transient issues. Before you start troubleshooting, perform the operation again.

HTTP Status Code: 500


The request was rejected because a value that's not valid or is out of range was supplied for an input parameter.

HTTP Status Code: 400


The resource could not be found.

HTTP Status Code: 404


Your signing certificate could not be validated.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: