Getting started

This section explains how to enable and start using Amazon Security Lake.

Step 1: Initial AWS account setup

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to an administrative user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create an administrative user

After you sign up for an AWS account, create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user

1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

2. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create an administrative user

• For your daily administrative tasks, grant administrative access to an administrative user in AWS IAM Identity Center (successor to AWS Single Sign-On).

  For instructions, see Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.

Sign in as the administrative user

• To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Step 2: Complete other prerequisites

After you sign up for AWS, you can activate Security Lake for your account and create your data lake.

Here are prerequisites to complete before you start using Security Lake:

Identify the account that you'll use to enable Security Lake

Security Lake integrates with AWS Organizations to manage log collection across multiple accounts in an organization. If you want to use Security Lake for an organization, you must use your Organizations management account to designate a delegated Security Lake administrator. Then, you must use the credentials of the delegated administrator to enable Security Lake, add member accounts, and enable Security Lake for them. For more information, see Managing multiple accounts with AWS Organizations.

Alternatively, you can use Security Lake without the Organizations integration for a standalone account that's not part of an organization.

Install the AWS CLI (optional)

To access Security Lake through the AWS Command Line Interface (AWS CLI), you need to install the latest version of the AWS CLI on a supported operation system. For more instructions, see Installing or updating the latest version of the AWS CLI in the AWS Command Line Interface User Guide.

Create necessary IAM roles

Important

If you plan to use the Security Lake console, you can skip this step and proceed to Step 3: Enable Amazon Security Lake. The Security Lake console offers a streamlined process for getting started, and creates all necessary IAM roles or uses existing roles on your behalf.

If you plan to use API or AWS CLI to access Security Lake, continue with this step to create the necessary IAM roles manually.

If you're using the Security Lake API or AWS CLI, create a role called AmazonSecurityLakeMetaStoreManager in AWS Identity and Access Management (IAM). The role must carry this name and is necessary for Security Lake to support extract, transform, and load (ETL) jobs on raw log and event data that it receives from sources. Without creating and assuming this role, you can't create your data lake or query data from Security Lake. One role can be used across Regions—there is no need to create a separate role for each Region.

Attach the following policy to your AmazonSecurityLakeMetaStoreManager role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowWriteLambdaLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:log-group:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowCreateAwsCloudWatchLogGroup",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowGlueManage",
      "Effect": "Allow",
      "Action": [
        "glue:CreatePartition",
        "glue:BatchCreatePartition"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
        "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
        "arn:aws:glue:*:*:catalog"
      ]
    },
    {
      "Sid": "AllowToReadFromSqs",
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "arn:aws:sqs:*:{{accountId}}:SecurityLake*"
      ]
    }
  ]
}

Attach the following trust policy to the role to permit the partition updater Lambda function to assume the role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambda",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Show moreShow less

Create additional roles in IAM if you'll be taking one or more of these actions (choose the links to see more information about IAM roles for each action):

• Creating a custom source – Custom sources are sources other than natively-supported AWS services that send data to Security Lake.

• Creating a subscriber with data access – Subscribers with permissions can directly access S3 objects from your data lake.

• Creating a subscriber with query access – Subscribers with permissions can query data from Security Lake using services like Amazon Athena.

• Configuring a rollup Region – A rollup Region consolidates data from multiple AWS Regions.

Step 3: Enable Amazon Security Lake

Before enabling Security Lake, consider the following:

• Security Lake provides cross-region management features, which means you can create your data lake and configure log collection across AWS Regions. To enable Security Lake in all supported Regions, you can choose any supported Regional endpoint. You can also add rollup Regions to aggregate data from multiple regions to a single Region.

• We recommend activating Security Lake in all of the supported AWS Regions. If you do this, Security Lake can collect data that's connected to unauthorized or unusual activity even in Regions that you aren't actively using. If Security Lake is not activated in all supported Regions, its ability to collect data from other services that you use in multiple Regions is reduced.

• When you enable Security Lake for the first time in any Region, it creates a service-linked role for your account called AWSServiceRoleForSecurityLake. This role includes the permissions to call other AWS services on your behalf and operate the security data lake. For more information about how service-linked roles work, see Using service-linked roles in the IAM User Guide. If you enable Security Lake as the delegated Security Lake administrator, Security Lake creates the service-linked role in each member account in the organization.

After you complete the prerequisites, select your preferred method of access and enable Security Lake by following these instructions.

Console

1. Open the Security Lake console at https://console.aws.amazon.com/securitylake/.

2. By using the AWS Region selector in the upper-right corner of the page, select a Region. You can enable Security Lake in the current Region and other Regions while onboarding.

3. Choose Get started.

4. Complete all of the getting started steps in the console as described in the following sections.

API

To enable Security Lake programmatically, use the CreateDataLake operation of the Security Lake API. In your request, use the region field of the configurations object to specify the Region code for the Region in which to enable Security Lake. For example, specify us-east-1 for the US East (N. Virginia) Region or ap-northeast-1 for the Asia Pacific (Tokyo) Region. For a list of Region codes, see Amazon Security Lake endpoints in the AWS General Reference.

Note

If you've already enabled Security Lake and want to update the configuration settings for a Region or source, use the UpdateDataLake operation, not the CreateDataLake operation.

AWS CLI

To enable Security Lake by using the AWS Command Line Interface (AWS CLI), run the create-data-lake command. When you run the command, use the region parameter of the configurations object to specify the Region code for the Region in which to enable Security Lake. For example, specify us-east-1 for the US East (N. Virginia) Region or ap-northeast-1 for the Asia Pacific (Tokyo) Region. For a list of Region codes, see Amazon Security Lake endpoints in the AWS General Reference.

Note

If you've already enabled Security Lake and want to update the configuration settings for a Region or source, run the update-data-lake command, not the create-data-lake command.

Step 4: Define collection objective (sources)

Security Lake collects log and event data from a variety of sources and across your AWS accounts and Regions. Follow these instructions to identify which data you want Security Lake to collect. You can only use these instructions to add a natively-supported AWS service as a source. For information about adding a custom source, see Collecting data from custom sources.

Console

1. For Select log and event sources, choose whether to ingest all log and event sources or specific sources. If you choose Specific log and event sources, select which sources to ingest in Security Lake.

2. For Select Regions, choose whether to ingest log and event sources from all supported Regions or specific Regions. If you choose Specific Regions, select which Regions to ingest data from.

3. For Service access, create a new IAM role or use an existing IAM role that gives Security Lake permission to collect data from your sources and add them to your data lake. One role is used across all Regions in which you enable Security Lake.

4. Choose Next.

API

To define one or more collection sources programmatically, use the CreateAwsLogSource operation of the Security Lake API. For each source, specify a Regionally unique value for the sourceName parameter. Optionally use additional parameters to limit the scope of the source to specific accounts (accounts) or a specific version (sourceVersion).

Note

If you don't include an optional parameter in your request, Security Lake applies your request to all accounts or all versions of the specified source, depending on the parameter that you exclude. For example, if you're the delegated Security Lake administrator for an organization and you exclude the accounts parameter, Security Lake applies your request to all the accounts in your organization. Similarly, if you exclude the sourceVersion parameter, Security Lake applies your request to all versions of the specified source.

If your request specifies a Region in which you haven't enabled Security Lake, an error occurs. To address this error, ensure that the regions array specifies only those Regions in which you've enabled Security Lake. Alternatively, you can enable Security Lake in the Region, and then submit your request again.

AWS CLI

To define one or more collection sources by using the AWS Command Line Interface (AWS CLI), run the create-aws-log-source command. For each source, specify a Regionally unique value for the sourceName parameter. Optionally use additional parameters to limit the scope of the source to specific accounts (accounts) or a specific version (sourceVersion).

Note

If you don't include an optional parameter for the create-aws-log-source command, Security Lake applies your request to all accounts or all versions of the specified source, depending on the parameter that you exclude. For example, if you're the delegated Security Lake administrator for an organization and you exclude the accounts parameter, Security Lake applies your request to all the accounts in your organization. Similarly, if you exclude the sourceVersion parameter, Security Lake applies your request to all versions of the specified source.

If your request specifies a Region in which you haven't enabled Security Lake, an error occurs. To address this error, ensure that the regions list specifies only those Regions in which you've enabled Security Lake. Alternatively, you can enable Security Lake in the Region, and then submit your request again.

Step 5: Define target objective (optional)

You can specify the Amazon S3 storage class in which you want Security Lake to store your data and for how long. You can also specify a rollup Region to consolidate data from multiple Regions. These are optional steps. For more information, see Lifecycle management in Security Lake.

Console

1. If you want to consolidate data from multiple contributing Regions to a rollup Region, for Select rollup Regions, choose Add rollup Region. Specify the rollup Region and the Regions that will contribute to it. You can set up one or more rollup Regions.

2. For Select storage classes, choose an Amazon S3 storage class. The default storage class is S3 Standard. Provide a retention period (in days) if you want the data to transition to another storage class after that time, and choose Add transition. After the retention period ends, the objects expire and Amazon S3 deletes them. For more information about Amazon S3 storage classes and retention, see Retention management.

3. If you selected a rollup Region in the first step, for Service access, create a new IAM role or use an existing IAM role that gives Security Lake permission to replicate data across multiple Regions.

4. Choose Next.

API

To define a target objective programmatically when you enable Security Lake, use the CreateDataLake operation of the Security Lake API. If you've already enabled Security Lake and want to define a target objective, use the UpdateDataLake operation, not the CreateDataLake operation.

For either operation, use the supported parameters to specify the configuration settings that you want:

• To specify a rollup Region, use the region field to specify the Region that you want to contribute data to the rollup Region. Use the replicationConfiguration parameters to specify the rollup Region (regions). For an example, see Updating or removing rollup Regions.

• To specify retention settings for your data, use the lifecycleConfiguration parameters:

  • For transitions, specify the total number of days (days) that you want to store S3 objects in a particular Amazon S3 storage class (storageClass).

  • For expiration, specify the total number of days that you want to store objects in Amazon S3, using any storage class, after objects are created. When this retention period ends, objects expire and Amazon S3 deletes them.

  Security Lake applies the specified retention settings to the Region that you specify in the region field of the configurations object.

AWS CLI

To use the AWS Command Line Interface (AWS CLI) to define a target objective when you enable Security Lake, run the create-data-lake command. If you've already enabled Security Lake and want to define a target objective, run the update-data-lake command, not the create-data-lake command.

For either command, use the supported parameters to specify the configuration settings that you want:

• To specify a rollup Region, use the region field to specify the Region that you want to contribute data to the rollup Region. Use the replicationConfiguration parameters to specify the rollup Region (regions). For an example, see Updating or removing rollup Regions.

• To specify retention settings for your data, use the lifecycleConfiguration parameters:

  • For transitions, specify the total number of days (days) that you want to store S3 objects in a particular Amazon S3 storage class (storageClass).

  • For expiration, specify the total number of days that you want to store objects in Amazon S3, using any storage class, after objects are created. When this retention period ends, objects expire and Amazon S3 deletes them.

  Security Lake applies the specified retention settings to the Region that you specify in the region field of the configurations object.

Step 6: Review and create data lake (console-only step)

Review the sources that Security Lake will collect data from, your rollup Regions, and your retention settings. Then, create your data lake.

1. While enabling Security Lake, review Log and event sources, Regions, Rollup Regions, and Storage classes.

2. Choose Create.

After creating your data lake, you will see the Summary page on the Security Lake console. This page provides an overview of the number of Regions and Rollup Regions, information about subscribers, and System issues.

The System issues menu shows you a summary of issues from the last 14 days that are impacting the Security Lake service or your Amazon S3 buckets.

Step 7: View and query your own data

After creating your data lake, you can use Amazon Athena or similar services to view and query your data from AWS Lake Formation databases and tables. The data lake administrator account in AWS Lake Formation must grant SELECT permissions to the IAM role you want to use to query the relevant databases and tables. At a minimum, the role must have Data analyst permissions. For more information on permission levels, see Lake Formation personas and IAM permissions reference. For instructions on granting SELECT permissions, see Granting Data Catalog permissions using the named resource method in the AWS Lake Formation Developer Guide.

Step 8: Create subscribers

After creating your data lake, you can add subscribers to consume your data. Subscribers can consume data by directly accessing objects in your Amazon S3 buckets or by querying the data lake. For more information about subscribers, see Subscriber management in Amazon Security Lake.