AWS service integrations with Security Lake - Amazon Security Lake

AWS service integrations with Security Lake

Amazon Security Lake integrates with other AWS services. A service may either operate as a source integration, a subscriber integration, or both.

Source integrations have the following properties:

Subscriber integrations have the following properties can read source data from Security Lake at an HTTPS endpoint or Amazon Simple Queue Service (Amazon SQS) queue, or by directly querying source data from AWS Lake Formation

The following section explains which AWS services Security Lake integrates with and how each integration works.

Integration with AWS AppFabric

Integration type: Source

AWS AppFabric is a no-code service that connects software as a service (SaaS) applications across your organization, so IT and security teams can manage and secure applications using a standard schema and central repository.

How Security Lake receives AppFabric findings

You can send AppFabric audit log data to Security Lake by selecting Amazon Kinesis Data Firehose as a destination and configuring Kinesis Data Firehose to deliver data in OCSF schema and Apache Parquet format to Security Lake.


Before you can send AppFabric audit logs to Security Lake, you must output your OCSF normalized audit logs to a Kinesis Data Firehose stream. You can then configure Kinesis Data Firehose to send the output to your Security Lake Amazon S3 bucket. For more information, see Choose Amazon S3 for your destination in the Amazon Kinesis Developer Guide.

Send your AppFabric findings to Security Lake

To send AppFabric audit logs to Security Lake after completing the preceding prerequisite, you must enable both services and add AppFabric as a custom source in Security Lake. For instructions on adding a custom source, see Collecting data from custom sources.

Stop receiving AppFabric logs in Security Lake

To stop receiving AppFabric audit logs, you can use the Security Lake console, Security Lake API, or AWS CLI to delete AppFabric as a custom source. For instructions, see Deleting a custom source.

Integration with Amazon Detective

Integration type: Subscriber

Amazon Detective helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources. It then uses machine learning, statistical analysis, and graph theory to generate visualizations that help you to conduct faster and more efficient security investigations. The Detective prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and extent of possible security issues.

When you integrate Security Lake and Detective, you can query the raw log data stored by Security Lake from Detective. For more information, see Integration with Amazon Security Lake.

Integration with Amazon OpenSearch Service

Integration type: Subscriber

Amazon OpenSearch Service is a managed service that makes it easy to deploy, operate, and scale OpenSearch Service clusters in the AWS Cloud. Using OpenSearch Service Ingestion to ingest data into your OpenSearch Service Service cluster, you can derive insights quicker for time sensitive security investigations. You can respond swiftly to security incidents, helping you protect your business critical data and systems.

OpenSearch Service dashboard

After you integrate OpenSearch Service with Security Lake, you can configure Security Lake to send security data from different sources to OpenSearch Service Service through serverless OpenSearch Service Ingestion. For more information on how to configure OpenSearch Service ingestion to process security data, see Generate security insights from Amazon Security Lake data using Amazon OpenSearch Service Ingestion.

After OpenSearch Service Ingestion starts writing your data into your OpenSearch Service Service domain. To visualize the data using the pre-built dashboards, Nnvigate to dashboards and choose any one of the installed dashboards.

Integration with Amazon QuickSight

Integration type: Subscriber

Amazon QuickSight is a cloud-scale business intelligence (BI) service that you can use to deliver easy-to-understand insights to the people who you work with, wherever they are. Amazon QuickSight connects to your data in the cloud and combines data from many different sources. Amazon QuickSight gives decision-makers the opportunity to explore and interpret information in an interactive visual environment. They have secure access to dashboards from any device on your network and from mobile devices.

Amazon QuickSight dashboard

To visualize your Amazon Security Lake data in Amazon QuickSight, to create the required AWS objects and deploy basic data sources, data sets, analysis, dashboards, and user groups to Amazon QuickSight with respect to Security Lake. For the detailed instructions, see Integration with Amazon QuickSight.

Integration with Amazon SageMaker

Integration type: Subscriber

Amazon SageMaker is a fully managed machine learning (ML) service. With Security Lake, data scientists and developers can quickly and confidently build, train, and deploy ML models into a production-ready hosted environment. It provides a UI experience for running ML workflows that makes SageMaker ML tools available across multiple integrated development environments (IDEs).

SageMaker insights

You can generate machine learning insights for Security Lake using SageMaker Studio. SageMaker Studio is a web integrated development environment (IDE) for machine learning that provides tools for data scientists to prepare, build, train, and deploy machine learning models. With this solution, you can quickly deploy a base set of Python notebooks focusing on AWS Security Hub findings in Security Lake, which can also be expanded to incorporate other AWS sources or custom data sources in Security Lake. For more details, see Generate machine learning insights for Amazon Security Lake data using Amazon SageMaker.

Integration with Amazon Bedrock

Amazon Bedrock is a fully managed service that makes high-performing foundation models (FMs) from leading AI startups and Amazon available for your use through a unified API. With Amazon Bedrock's serverless experience, you can get started quickly, privately customize foundation models with your own data, and easily and securely integrate and deploy them into your applications using AWS tools without having to manage any infrastructure.

Generative AI

You can use the generative AI capabilities of Amazon Bedrock and natural language input in SageMaker Studio to analyze data in Security Lake and work towards reducing your organization’s risk and increase your security posture. You can reduce the amount of time needed to conduct an investigation by automatically identifying the appropriate data sources, generating and invoking SQL queries, and visualizing data from your investigation. For more details see Generate AI powered insights for Amazon Security Lake using Amazon SageMaker Studio and Amazon Bedrock.

Integration with AWS Security Hub

Integration type: Source

AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you to analyze your security trends and identify the highest priority security issues.

When you enable Security Hub and add Security Hub findings as a source in Security Lake, Security Hub starts sending new findings and updates to existing findings to Security Lake.

How Security Lake receives Security Hub findings

In Security Hub, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by third-party partners. Security Hub also generates its own findings by running automated and continuous security checks against rules. The rules are represented by security controls.

All findings in Security Hub use a standard JSON format called the AWS Security Finding Format (ASFF).

Security Lake receives Security Hub findings and transforms them into the Open Cybersecurity Schema Framework (OCSF).

Send your Security Hub findings to Security Lake

To send Security Hub findings to Security Lake, you must enable both services and add Security Hub findings as a source in Security Lake. For instructions on adding an AWS source, see Adding an AWS service as a source.

If you want Security Hub to generate control findings and send them to Security Lake, you must enable the relevant security standards and turn on resource recording on a Regional basis in AWS Config. For more information, see Enabling and configuring AWS Config in the AWS Security Hub User Guide.

Stop receiving Security Hub findings in Security Lake

To stop receiving Security Hub findings, you can use the Security Hub console, Security Hub API, or AWS CLI.

See Disabling and enabling the flow of findings from an integration (console) or Disabling the flow of findings from an integration (Security Hub API, AWS CLI) in the AWS Security Hub User Guide.