Managing Regions
Amazon Security Lake can collect security logs and events across AWS Regions in which you've
enabled the service. For each Region, your data is stored in a different Amazon S3 bucket. You
can specify different data lake configurations (for example, different sources and retention
settings) for different Regions. You can also define one or more rollup Regions to
consolidate data from multiple Regions.
Checking Region status
Security Lake can collect data across multiple AWS Regions. To track the state of your
data lake, it can be helpful to understand how each Region is currently configured.
Choose your preferred access method, and follow these steps to get the current status of
a Region.
- Console
-
To check Region status
Open the Security Lake console at https://console.aws.amazon.com/securitylake/.
-
In the navigation pane, choose Regions. The
Regions page appears, providing an overview
of the Regions in which Security Lake is currently enabled.
-
Select a Region, and then choose Edit to see
details for that Region.
- API
-
To get the status of log collection in the current Region, use the GetDataLakeSources operation of the Security Lake API. If you're using the AWS CLI,
run the get-data-lake-sources command. For the
accounts
parameter, specify one or more AWS account IDs as a list.
If your request succeeds, Security Lake returns a snapshot for those accounts in
the current Region, including which AWS sources Security Lake is collecting data
from and the status of each source. If you don't include the accounts
parameter, the response
includes the status of log collection for all accounts in which Security Lake is configured in the current Region.
For example, the following AWS CLI command retrieves log collection status for the specified accounts in the current Region.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws securitylake get-data-lake-sources \
--accounts "123456789012
" "111122223333
"
The following AWS CLI command lists log collection status for all accounts and enabled sources in the specified Region.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws securitylake get-data-lake-sources \
--regions "us-east-1
" \
--query 'dataLakeSources[].[account,sourceName]'
To determine whether you've enabled Security Lake for a Region, use the ListDataLakes operation. If you're using the AWS CLI, run the
list-data-lakes command. For the regions
parameter, specify the Region code for the Region—for example,
us-east-1
for the US East (N. Virginia) Region.
For a list of Region codes, see Amazon Security Lake endpoints in the AWS General Reference. The ListDataLakes
operation
returns the data lake configuration settings for each Region that you
specify in your request. If you don't specify a Region, Security Lake returns the status and configuration settings
of your data lake in each Region in which Security Lake is available.
For example, the following AWS CLI command shows the status and configuration settings of your data lake in
the eu-central-1
Region. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws securitylake list-data-lakes \
--regions "us-east-1
" "eu-central-1
"
Choose your preferred method, and follow these instructions to update settings for
your data lake in one or more AWS Regions.
- Console
-
Open the Security Lake console at https://console.aws.amazon.com/securitylake/.
-
In the navigation pane, choose
Regions.
-
Select a Region, and then choose Edit.
-
Select the check box for Override sources for all
accounts in <Region> to confirm that your
selections here override previous selections for this Region.
-
For Select storage classes, choose
Add transition to add new storage classes
for your data.
-
For Tags, optionally assign or edit the tags
for the Region. A tag is a label
that you can define and assign to certain types of AWS resources,
including the data lake configuration for your AWS account in a
particular Region. To learn more, see Tagging Amazon Security Lake resources.
-
To turn a Region into a rollup Region, choose Rollup
Regions (under Settings) in the
navigation pane. Then choose Modify. In the
Select rollup Regions section, choose
Add rollup Region. Select the contributing
Regions, and provide Security Lake with permission to replicate data
across multiple Regions. When you finish, choose
Save to save your changes.
- API
-
To update Region settings for your data lake programmatically, use the
UpdateDataLake operation of the Security Lake API. If you're using the AWS CLI, run the
update-data-lake command. For the
region
parameter, specify the Region code for the Region
that you want to change the settings for—for example,
us-east-1
for the US East (N. Virginia) Region.
For a list of Region codes, see Amazon Security Lake endpoints in the AWS General Reference.
Use additional parameters to specify a new value for each setting that you
want to change—for example, the encryption key
(encryptionConfiguration
) and retention settings
(lifecycleConfiguration
).
For example, the following AWS CLI command updates the data expiration and storage class transition settings for the
us-east-1
Region. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
update-data-lake \
--configurations '[{"region":"us-east-1
","lifecycleConfiguration": {"expiration":{"days":500
},"transitions":[{"days":45
,"storageClass":"ONEZONE_IA
"}]}}]'
Configuring rollup Regions
A rollup Region consolidates data from one or more contributing Regions. Specifying a
rollup Region can help you comply with Regional compliance requirements.
Before adding a rollup Region, you first need to create two different roles in
AWS Identity and Access Management (IAM):
Security Lake creates these IAM roles or uses existing roles on your behalf when you use the Security Lake console. However, you must create these
roles when using the Security Lake API or AWS CLI.
IAM role for data replication
This IAM role grants permission to Amazon S3 to replicate source logs and events
across multiple Regions.
To grant these permissions, create an IAM role that starts with the prefix
SecurityLake
, and attach the following sample policy to the role.
You'll need the Amazon Resource Name (ARN) of the role when you create a rollup
Region in Security Lake. In this policy,
sourceRegions
are contributing Regions, and
destinationRegions
are rollup Regions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadS3ReplicationSetting",
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-security-data-lake-[[sourceRegions
]]*",
"arn:aws:s3:::aws-security-data-lake-[[sourceRegions
]]*/*"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"{{bucketOwnerAccountId
}}"
]
}
}
},
{
"Sid": "AllowS3Replication",
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-security-data-lake-[[destinationRegions
]]*/*"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"{{bucketOwnerAccountId
}}"
]
}
}
}
]
}
Attach the following trust policy to your role to permit Amazon S3 to assume the
role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ToAssume",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
If you use a customer managed key from AWS Key Management Service (AWS KMS) to encrypt your Security Lake data lake, you must
grant the following permissions in addition to the permissions in the data
replication policy.
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": [
"s3.{sourceRegion1}.amazonaws.com",
"s3.{sourceRegion2}.amazonaws.com"
],
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::aws-security-data-lake-{sourceRegion1}*",
"arn:aws:s3:::aws-security-data-lake-{sourceRegion2}*"
]
}
},
"Resource": [
"{sourceRegion1KmsKeyArn}",
"{sourceRegion2KmsKeyArn}"
]
},
{
"Action": [
"kms:Encrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": [
"s3.{destinationRegion1}.amazonaws.com",
],
"kms:EncryptionContext:aws:s3:arn": [
"arn:aws:s3:::aws-security-data-lake-{destinationRegion1}*",
]
}
},
"Resource": [
"{destinationRegionKmsKeyArn}"
]
}
For more information about replication roles, see Setting
up permissions in the Amazon Simple Storage Service User Guide.
IAM role to register AWS Glue partitions
This IAM role grants permissions for a partition updater AWS Lambda function used by Security Lake to register AWS Glue partitions
for the S3 objects that were replicated from other regions. Without creating this role, subscribers can't query events
from those objects.
To grant these permissions, create a role named AmazonSecurityLakeMetaStoreManager
(you may have already created this role
while onboarding to Security Lake). For more information about this role, including a sample policy, see Step 1: Create IAM roles.
In the Lake Formation console, you must also grant AmazonSecurityLakeMetaStoreManager
permissions as a data lake administrator by following these steps:
Open the Lake Formation console at https://console.aws.amazon.com/lakeformation/.
Sign in as an administrative user.
If a Welcome to Lake Formation window appears, choose the user that you created or
selected in Step 1, and then choose Get started.
If you don't see a Welcome to Lake Formation window, then perform the following steps to configure a Lake Formation Administrator.
In the navigation pane, under Permissions, choose Administrative Roles and tasks. In the
Data lake administrators section of the console page, choose Choose administrators.
In the Manage data lake administrators dialog box, for IAM users and roles, choose the
AmazonSecurityLakeMetaStoreManager IAM role that you created, and then choose Save.
For more information about changing permissions for data lake administrators, see Create a data lake administrator in the AWS Lake Formation Developer Guide.
Adding rollup Regions
Choose your preferred access method, and follow these steps to add a rollup Region.
A Region can contribute data to multiple rollup Regions. However, a rollup Region cannot be a contributing Region for another rollup Region.
- Console
-
Open the Security Lake console at https://console.aws.amazon.com/securitylake/.
In the navigation pane, under Settings, choose Rollup
Regions.
Choose Modify, and then choose Add rollup
Region.
Specify the rollup Region and contributing Regions. Repeat this step if you want to add
multiple rollup Regions.
If this is your first time adding a rollup Region, for Service access, create a new IAM role or use an existing IAM role that gives Security Lake permission
to replicate data across multiple Regions.
When you finish, choose Save.
You can also add a rollup Region when you onboard to Security Lake. For more information, see Getting started with Amazon Security Lake.
- API
-
To add a rollup Region programmatically, use the UpdateDataLake operation of the Security Lake API. If you're using the AWS CLI, run the
update-data-lake command. In your
request, use the region
field to specify the Region that
you want to contribute data to the rollup Region. In the regions
array of the
replicationConfiguration
parameter, specify the
Region code for each rollup Region. For a list of Region codes, see Amazon Security Lake endpoints in the AWS General Reference.
For example, the following command sets ap-northeast-2
as a rollup Region.
The us-east-1
Region will contribute data to the ap-northeast-2
Region. This example also establishes a
365-day expiration period for objects that are added to the data lake. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws securitylake update-data-lake \
--configurations '[{"encryptionConfiguration": {"kmsKeyId":"S3_MANAGED_KEY
"},"region":"us-east-1
","replicationConfiguration": {"regions": ["ap-northeast-2
"],"roleArn":"arn:aws:iam::123456789012:role/service-role/AmazonSecurityLakeS3ReplicationRole
"},"lifecycleConfiguration": {"expiration":{"days":365
}}}]'
You can also add a rollup Region when you onboard to Security Lake. To do
this, use the CreateDataLake operation (or, if using the AWS CLI, the
create-data-lake command). For more information about configuring rollup Regions during onboarding, see Getting started with Amazon Security Lake.
Updating or removing rollup
Regions
Choose your preferred access method, and follow these steps to update or remove
rollup Regions in Security Lake.
- Console
-
Open the Security Lake console at https://console.aws.amazon.com/securitylake/.
-
In the navigation pane, under Settings,
choose Rollup Regions.
-
Choose Modify.
-
To change the contributing Regions for a rollup Region,
specify the updated contributing Regions in the row for rollup
Region.
-
To remove a rollup Region, choose Remove
in the row for rollup Region.
-
When you finish, choose Save.
- API
-
To configure rollup Regions programmatically, use the UpdateDataLake operation of the Security Lake API. If you're using the AWS CLI, run the
update-data-lake command.
In your request, use the supported parameters to specify the rollup
settings:
-
To add a contributing Region, use the region
field to specify the Region code for the Region to add. In the
regions
array of the
replicationConfiguration
object, specify the
Region code for each rollup Region to contribute data to. For a list of Region codes, see Amazon Security Lake endpoints in the AWS General Reference.
-
To remove a contributing Region, use the region
field to specify the Region code for the Region to remove. For
the replicationConfiguration
parameters, don't
specify any values.
For example, the following command configures both us-east-1
and us-east-2
as contributing Regions.
Both Regions will contribute data to the ap-northeast-3
rollup Region.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws securitylake update-data-lake \
--configurations '[{"encryptionConfiguration": {"kmsKeyId":"S3_MANAGED_KEY
"},"region":"us-east-1
","replicationConfiguration": {"regions": ["ap-northeast-3
"],"roleArn":"arn:aws:iam::123456789012:role/service-role/AmazonSecurityLakeS3ReplicationRole
"},"lifecycleConfiguration": {"expiration":{"days":365
}}},
{"encryptionConfiguration": {"kmsKeyId":"S3_MANAGED_KEY
"},"region":"us-east-2
","replicationConfiguration": {"regions": ["ap-northeast-3
"],"roleArn":"arn:aws:iam::123456789012:role/service-role/AmazonSecurityLakeS3ReplicationRole
"}, "lifecycleConfiguration": {"expiration":{"days":500
},"transitions":[{"days":60
,"storageClass":"ONEZONE_IA
"}]}}]'