AWS service integrations with Security Lake - Amazon Security Lake

AWS service integrations with Security Lake

Amazon Security Lake integrates with some other AWS services. A service may either operate as a source integration, a subscriber integration, or both.

Source integrations have the following properties:

Subscriber integrations have the following properties:

  • Read source data from Security Lake at an HTTPS endpoint or Amazon Simple Queue Service (Amazon SQS) queue, or by directly querying source data from AWS Lake Formation

  • Able to read data in Apache Parquet format (Security Lake handles this automatically for Security Hub and other natively-supported sources)

  • Able to read data in OCSF schema (Security Lake handles this automatically for Security Hub and other natively-supported sources)

The following section explains which AWS services Security Lake integrates with and how each integration works.

Integration with AWS AppFabric

Integration type: Source

AWS AppFabric is a no-code service that connects software as a service (SaaS) applications across your organization, so IT and security teams can manage and secure applications using a standard schema and central repository.

How Security Lake receives AppFabric findings

You can send AppFabric audit log data to Security Lake by selecting Amazon Kinesis Data Firehose as a destination and configuring Kinesis Data Firehose to deliver data in OCSF schema and Apache Parquet format to Security Lake.

Prerequisites

Before you can send AppFabric audit logs to Security Lake, you must output your OCSF normalized audit logs to a Kinesis Data Firehose stream. You can then configure Kinesis Data Firehose to send the output to your Security Lake Amazon S3 bucket. For more information, see Choose Amazon S3 for your destination in the Amazon Kinesis Developer Guide.

Send your AppFabric findings to Security Lake

To send AppFabric audit logs to Security Lake after completing the preceding prerequisite, you must enable both services and add AppFabric as a custom source in Security Lake. For instructions on adding a custom source, see Collecting data from custom sources.

Stop receiving AppFabric logs in Security Lake

To stop receiving AppFabric audit logs, you can use the Security Lake console, Security Lake API, or AWS CLI to delete AppFabric as a custom source. For instructions, see Deleting a custom source.

Integration with AWS Security Hub

Integration type: Source

AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you to analyze your security trends and identify the highest priority security issues.

When you integrate Amazon Security Lake and Security Hub, you receive Security Hub findings in Security Lake. Security Hub findings become a source that Security Lake subscribers can consume, helping you analyze your security posture.

How Security Lake receives Security Hub findings

In Security Hub, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by third-party partners. Security Hub also has a set of rules called controls that it uses to detect security issues and generate findings.

All findings in Security Hub use a standard JSON format called the AWS Security Finding Format (ASFF).

Security Lake receives Security Hub findings and transforms them into the Open Cybersecurity Schema Framework (OCSF).

Prerequisites

When you enable Security Hub and add Security Hub findings as a source in Security Lake, Security Hub starts sending new findings and updates to existing findings to Security Lake.

If you want Security Hub to generate control findings and send them to Security Lake, you must enable the relevant security standards and turn on resource recording on a Regional basis in AWS Config. For more information, see Enabling and configuring AWS Config in the AWS Security Hub User Guide.

Send your Security Hub findings to Security Lake

To send Security Hub findings to Security Lake, you must enable both services and add Security Hub findings as a source in Security Lake. For instructions on adding an AWS source, see Adding an AWS service as a source.

Stop receiving Security Hub findings in Security Lake

To stop receiving Security Hub findings, you can use the Security Hub console, Security Hub API, or AWS CLI.

See Disabling and enabling the flow of findings from an integration (console) or Disabling the flow of findings from an integration (Security Hub API, AWS CLI) in the AWS Security Hub User Guide.