Enabling Security Lake using the console - Amazon Security Lake
Step 1: Configure sourcesStep 2: Define storage settings and rollup Regions (optional)Step 3: Review and create data lakeStep 4: View and query your own dataStep 5: Create subscribers

Enabling Security Lake using the console

This tutorial explains how to enable and configure Security Lake through the AWS Management Console. As part of the AWS Management Console, the Security Lake console offers a streamlined process for getting started, and creates all necessary AWS Identity and Access Management (IAM) roles that you need to create your data lake.

Step 1: Configure sources

Security Lake collects log and event data from a variety of sources and across your AWS accounts and AWS Regions. Follow these instructions to identify which data you want Security Lake to collect. You can only use these instructions to add a natively-supported AWS service as a source. For information about adding a custom source, see Collecting data from custom sources in Security Lake.

To configure log source collection

  1. Open the Security Lake console at https://console.aws.amazon.com/securitylake/.

  2. By using the AWS Region selector in the upper-right corner of the page, select a Region. You can enable Security Lake in the current Region and other Regions while onboarding.

  3. Choose Get started.

  4. For Select log and event sources, choose one of the following options:

    1. Ingest default AWS sources – When you choose the recommended option, CloudTrail - S3 data events isn't included for ingestion. This is because ingesting high volume of CloudTrail - S3 data events might impact the usage cost significantly. To ingest this source, select the Ingest specific AWS sources option.

    2. Ingest specific AWS sources – With this option, you can select one or more log and event sources that you want to ingest.

    Note

    When you enable Security Lake in an account for the first time, all the selected log and event sources will be a part of a 15-day free trial period. For more information about usage statistics, see Reviewing usage and estimated costs.

  5. For Versions, chose the version of data source from which you want to ingest log and event sources.

    Important

    If you don't have the required role permissions to enable the new version of the AWS log source in the specified Region, contact your Security Lake administrator. For more information, see Update role permissions.

  6. For Select Regions, choose whether to ingest log and event sources from all supported Regions or specific Regions. If you choose Specific Regions, select which Regions to ingest data from.

  7. For Service access, create a new IAM role or use an existing IAM role that gives Security Lake permission to collect data from your sources and add them to your data lake. One role is used across all Regions in which you enable Security Lake.

  8. Choose Next.

Step 2: Define storage settings and rollup Regions (optional)

You can specify the Amazon S3 storage class in which you want Security Lake to store your data and for how long. You can also specify a rollup Region to consolidate data from multiple Regions. These are optional steps. For more information, see Lifecycle management in Security Lake.

To configure storage and rollup settings

  1. If you want to consolidate data from multiple contributing Regions to a rollup Region, for Select rollup Regions, choose Add rollup Region. Specify the rollup Region and the Regions that will contribute to it. You can set up one or more rollup Regions.

  2. For Select storage classes, choose an Amazon S3 storage class. The default storage class is S3 Standard. Provide a retention period (in days) if you want the data to transition to another storage class after that time, and choose Add transition. After the retention period ends, the objects expire and Amazon S3 deletes them. For more information about Amazon S3 storage classes and retention, see Retention management.

  3. If you selected a rollup Region in the first step, for Service access, create a new IAM role or use an existing IAM role that gives Security Lake permission to replicate data across multiple Regions.

  4. Choose Next.

Step 3: Review and create data lake

Review the sources that Security Lake will collect data from, your rollup Regions, and your retention settings. Then, create your data lake.

To review and create the data lake

  1. While enabling Security Lake, review Log and event sources, Regions, Rollup Regions, and Storage classes.

  2. Choose Create.

After creating your data lake, you will see the Summary page on the Security Lake console. This page provides an overview of the number of Regions and Rollup Regions, information about subscribers, and Issues.

The Issues menu shows you a summary of issues from the last 14 days that are impacting the Security Lake service or your Amazon S3 buckets. For additional details about each issue, you can go to the Issues page of the Security Lake console.

Step 4: View and query your own data

After creating your data lake, you can use Amazon Athena or similar services to view and query your data from AWS Lake Formation databases and tables. When you use the console, Security Lake automatically grants database view permissions to the role that you use to enable Security Lake. At a minimum, the role must have Data analyst permissions. For more information on permission levels, see Lake Formation personas and IAM permissions reference. For instructions on granting SELECT permissions, see Granting Data Catalog permissions using the named resource method in the AWS Lake Formation Developer Guide.

Step 5: Create subscribers

After creating your data lake, you can add subscribers to consume your data. Subscribers can consume data by directly accessing objects in your Amazon S3 buckets or by querying the data lake. For more information about subscribers, see Subscriber management in Security Lake.