Managing multiple accounts with AWS Organizations in Security Lake
You can use Amazon Security Lake to collect security logs and events from multiple AWS accounts. To help automate and streamline the management of multiple accounts, we strongly recommend that you integrate Security Lake with AWS Organizations.
In Organizations, the account that you use to create the organization is called the management account. To integrate Security Lake with Organizations, the management account must designate a delegated Security Lake administrator account for the organization.
The delegated Security Lake administrator can enable Security Lake and configure Security Lake settings for member accounts. The delegated administrator can collect logs and events across the organization in all AWS Regions where Security Lake is enabled (regardless of which Regional endpoint they're currently using). The delegated administrator can also configure Security Lake to automatically collect log and event data for new organization accounts.
The delegated Security Lake administrator has access to log and event data for associated member accounts. Accordingly, they can configure Security Lake to collect data owned by associated member accounts. They can also grant subscribers permission to consume data owned by associated member accounts.
To enable Security Lake for multiple accounts in an organization, the organization management account must first designate a delegated Security Lake administrator account for the organization. The delegated administrator can then enable and configure Security Lake for the organization.
Important
Use Security Lake's RegisterDataLakeDelegatedAdministrator API to allow Security Lake access to your organization and register Organizations's delegated administrator.
If you use Organizations' APIs to register a delegated administrator, service-linked roles for the Organizations might not be created successfully. To ensure full functionality, use the Security Lake APIs.
For information about setting up Organizations, see Creating and managing an organization in the AWS Organizations User Guide.
For existing Security Lake accounts
If you enabled Security Lake before April 17, 2025, we recommend you to enable the Service-linked role (SLR) permissions for resource management. By using this SLR, you can continue to perform ongoing monitoring and performance improvements, that can potentially reduce latency and costs. For information about the permissions associated with this SLR, see Service-linked role (SLR) permissions for resource management.
If you use Security Lake console, you will receive a notification prompting you to enable the AWSServiceRoleForSecurityLakeResourceManagement. If you use AWS CLI, see Creating the Security Lake service-linked role.
Important considerations for delegated Security Lake administrators
Take note of the following factors that define how a delegated administrator behaves in Security Lake:
- The delegated administrator is the same in all Regions.
-
When you create the delegated administrator, it becomes the delegated administrator for every Region in which you enable Security Lake.
- We recommend setting the Log Archive account as the Security Lake delegated administrator.
-
The Log Archive account is an AWS account that is dedicated to ingesting and archiving all security-related logs. Access to this account is typically limited to a few users, such as auditors and security teams for compliance investigations. We recommend setting the Log Archive account as the Security Lake delegated administrator so that you can view security-related logs and events with minimal context switching.
In addition, we recommend that only a minimal set of users have direct access to the Log Archive account. Outside of this select group, if a user needs access to the data that Security Lake collects, you can add them as a Security Lake subscriber. For information about adding a subscriber, see Subscriber management in Security Lake.
If you don't use the AWS Control Tower service, you may not have a Log Archive account. For more information about the Log Archive account, see Security OU – Log Archive account in the AWS Security Reference Architecture.
- An organization can have only one delegated administrator.
-
You can have only one delegated Security Lake administrator for each organization.
- The organization management account cannot be the delegated administrator.
-
Based on AWS Security best practices and the principle of least privilege, your organization management account cannot be the delegated administrator.
- The delegated administrator must be part of an active organization.
-
When you delete an organization, the delegated administrator account can no longer manage Security Lake. You must designate a delegated administrator from a different organization or use Security Lake with a standalone account that's not part of an organization.
IAM permissions required to designate the delegated administrator
When designating the delegated Security Lake administrator, you must have permissions to enable Security Lake and use certain AWS Organizations API operations listed in the following policy statement.
You can add the following statement to the end of an AWS Identity and Access Management (IAM) policy to grant these permissions.
{ "Sid": "Grant permissions to designate a delegated Security Lake administrator", "Effect": "Allow", "Action": [ "securitylake:RegisterDataLakeDelegatedAdministrator", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListAccounts", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }
Designating the delegated Security Lake administrator and adding member accounts
Choose your access method to designate the delegated Security Lake administrator account for your organization. Only the organization management account can designate the delegated administrator account for their organization. The organization management account cannot be the delegated administrator account for their organization.
Note
-
The organization management account should use the Security Lake
RegisterDataLakeDelegatedAdministratoroperation to designate the delegated Security Lake administrator account. Designating the delegated Security Lake administrator through Organizations isn't supported. -
If you want to change the delegated administrator for the organization, you must first remove the current delegated administrator. You can then designate a new delegated administrator.
After the organization management account designates the delegated administrator, the administrator can enable and configure Security Lake for the organization. This includes enabling and configuring Security Lake to collect AWS log and event data for individual accounts in the organization. For more information, see Collecting data from AWS services in Security Lake.
You can use the GetDataLakeOrganizationConfiguration operation to get details about your organization's current configuration for new member accounts.
Editing auto-enable configuration for new organization accounts
A delegated Security Lake administrator can view and edit the auto-enable settings for accounts when they join your organization. Security Lake ingests data based on these settings for new accounts only, not existing accounts.
Use the following steps to edit the configuration for new organization accounts:
Open the Security Lake console at https://console.aws.amazon.com/securitylake/
. -
In the navigation pane, choose Accounts.
-
On the Accounts page, expand the New account configuration section. You can view which Sources Security Lake ingests from each Region.
-
Choose Edit to edit this configuration.
-
On the Edit new account configuration page, perform the following steps:
-
For Select Regions, select one or more Regions for which you want to update the sources to ingest the data from. Then, choose Next.
-
For Select sources, choose one of the following options for Source selection:
Ingest default AWS sources – When you choose the recommended option, CloudTrail - S3 data events and AWS WAF are not included for ingestion by default. This is because ingesting high volume of both source types might significantly impact usage costs. To ingest these sources, first select the Ingest specific AWS sources option, and then select these sources from the Log and event sources list.
Ingest specific AWS sources – With this option, you can select one or more log and event sources that you want to ingest.
-
Do not ingest any sources – Select this option when you do not want to ingest any sources from the Regions that you selected in the previous step.
-
Choose Next.
Note
When you enable Security Lake in an account for the first time, all the selected log and event sources will be a part of a 15-day free trial period. For more information about usage statistics, see Reviewing usage and estimated costs.
-
After you review the changes, choose Apply.
When an AWS account joins your organization, these settings will apply to that account by default.
-
Removing the delegated Security Lake administrator
Only the organization management account can remove the delegated Security Lake administrator for their organization. If you want to change the delegated administrator for the organization, remove the current delegated administrator, and then designate the new delegated administrator.
Important
Removing the delegated Security Lake administrator deletes your data lake and disables Security Lake for the accounts in your organization.
You can't change or remove the delegated administrator by using the Security Lake console. These tasks can only be performed programmatically.
To remove the delegated administrator programmatically, use the DeregisterDataLakeDelegatedAdministrator operation of the
Security Lake API. You must invoke the operation from the organization management account. The If you're using
the AWS CLI, run the deregister-data-lake-delegated-administrator
For example, the following AWS CLI command removes the delegated Security Lake administrator.
$aws securitylake deregister-data-lake-delegated-administrator
To keep the delegated administrator designation but change the
automatic configuration settings of new member accounts, use the DeleteDataLakeOrganizationConfiguration operation of the
Security Lake API, or, if you're using the AWS CLI, the delete-data-lake-organization-configuration
For example, the following AWS CLI command stops the automatic collection of Security Hub findings from new member accounts that join the organization. New member accounts won't contribute Security Hub findings to the data lake after the delegated administrator invokes this operation. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$aws securitylake delete-data-lake-organization-configuration \ --auto-enable-new-account '[{"region":"us-east-1","sources":[{"sourceName":"SH_FINDINGS"}]}]'
Security Lake trusted access
After you set up Security Lake for an organization, the AWS Organizations management account can enable trusted access with Security Lake. Trusted access allows Security Lake to create an IAM service-linked role and perform tasks in your organization and its accounts on your behalf. For more information, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.
As a user of the organization management account, you can disable trusted access for Security Lake in AWS Organizations. For instructions on disabling trusted access, see How to enable or disable trusted access in the AWS Organizations User Guide.
We recommend disabling trusted access if the delegated administrator's AWS account is suspended, isolated, or closed.
