Disabling Security Lake
When you disable Amazon Security Lake, Security Lake stops collecting logs and events from your AWS sources. Existing Security Lake settings and the resources that were created in your AWS account are retained. In addition, the data that you stored in or published to other AWS services, such as sensitive data in AWS Lake Formation tables and AWS CloudTrail logs, remains available. Data that's stored in your Amazon Simple Storage Service (Amazon S3) bucket remains available in accordance with your Amazon S3 storage lifecycle.
Disabling Security Lake from the Settings page on the Security Lake console stops the collection of AWS logs and events in all AWS Regions in which Security Lake is currently enabled. You can use the Regions page on the console to stop log collection in specific Regions. The Security Lake API and AWS CLI also stop log collection in the Regions that you specify in your request.
If you use the integration with AWS Organizations and your account is part of an organization that centrally manages multiple Security Lake accounts, only the delegated Security Lake administrator can disable Security Lake for itself and for member accounts. However, leaving an organization stops log collection for a member account.
When you disable Security Lake for an organization, the delegated administrator designation is retained if you follow the disablement instructions provided on this page. You don't have to designate the delegated administrator again before you can re-enable Security Lake.
For custom sources, when deactivating Security Lake, you must disable each source outside of the Security Lake console. Failure to disable an integration will result in source integrations continuing to send logs into Amazon S3. Additionally, you must disable a subscriber integration or the subscriber will still be able to consume data from Security Lake. For details on how to remove the a custom source or a subscriber integration, see the respective provider's documentation.
Important
You must delete AWS Glue databases before you re-enable Security Lake to ensure querying works properly.
When Security Lake is re-enabled a new data lake Amazon S3 bucket is created and data is collected in this new S3 bucket. If you had previously deleted AWS Glue tables, a new set of AWS Glue tables are created.
All the data that was collected before disabling Security Lake will stay in the old Amazon S3 bucket. If you want to
query old data, you must move them to the new bucket using the Amazon S3 Sync
command. For more details, see the Sync command
This topic explains how to disable Security Lake by using the Security Lake console, Security Lake API, or AWS CLI.