Managing multiple accounts with AWS Organizations
You can use Amazon Security Lake to collect security logs and events from multiple AWS accounts. To help automate and streamline the management of multiple accounts, we strongly recommend that you integrate Security Lake with AWS Organizations.
In Organizations, the account that you use to create the organization is called the management account. To integrate Security Lake with Organizations, the management account must designate a delegated Security Lake administrator account for the organization.
The delegated Security Lake administrator can enable Security Lake and configure Security Lake settings for member accounts. The delegated administrator can collect logs and events across the organization in all AWS Regions where Security Lake is enabled (regardless of which Regional endpoint they're currently using). The delegated administrator can also configure Security Lake to automatically collect log and event data for new organization accounts.
The delegated Security Lake administrator has access to log and event data for associated member accounts. Accordingly, they can configure Security Lake to collect data owned by associated member accounts. They can also grant subscribers permission to consume data owned by associated member accounts.
To enable Security Lake for multiple accounts in an organization, the organization management account must first designate a delegated Security Lake administrator account for the organization. The delegated administrator can then enable and configure Security Lake for the organization.
For information about setting up Organizations, see Creating and managing an organization in the AWS Organizations User Guide.
Important considerations for delegated Security Lake administrators
Take note of the following factors that define how a delegated administrator behaves in Security Lake:
- The delegated administrator is the same in all Regions.
-
When you create the delegated administrator, it becomes the delegated administrator for every Region in which you enable Security Lake.
- We recommend setting the Log Archive account as the Security Lake delegated administrator.
-
The Log Archive account is an AWS account that is dedicated to ingesting and archiving all security-related logs. Access to this account is typically limited to a few users, such as auditors and security teams for compliance investigations. We recommend setting the Log Archive account as the Security Lake delegated administrator so that you can view security-related logs and events with minimal context switching.
In addition, we recommend that only a minimal set of users have direct access to the Log Archive account. Outside of this select group, if a user needs access to the data that Security Lake collects, you can add them as a Security Lake subscriber. For information about adding a subscriber, see Subscriber management in Amazon Security Lake.
If you don't use the AWS Control Tower service, you may not have a Log Archive account. For more information about the Log Archive account, see Security OU – Log Archive account in the AWS Security Reference Architecture.
- An organization can have only one delegated administrator.
-
You can have only one delegated Security Lake administrator for each organization.
- The organization management account cannot be the delegated administrator.
-
Based on AWS Security best practices and the principle of least privilege, your organization management account cannot be the delegated administrator.
- The delegated administrator must be part of an active organization.
-
When you delete an organization, the delegated administrator account can no longer manage Security Lake. You must designate a delegated administrator from a different organization or use Security Lake with a standalone account that's not part of an organization.
IAM permissions required to designate the delegated administrator
When designating the delegated Security Lake administrator, you must have permissions to enable Security Lake and use certain AWS Organizations API operations listed in the following policy statement.
You can add the following statement to the end of an AWS Identity and Access Management (IAM) policy to grant these permissions.
{ "Sid": "Grant permissions to designate a delegated Security Lake administrator", "Effect": "Allow", "Action": [ "securitylake:RegisterDataLakeDelegatedAdministrator", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListAccounts", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }
Designating the delegated Security Lake administrator and adding member accounts
Choose your access method to designate the delegated Security Lake administrator account for your organization. Only the organization management account can designate the delegated administrator account for their organization. The organization management account cannot be the delegated administrator account for their organization.
Note
-
The organization management account should use the Security Lake
RegisterDataLakeDelegatedAdministratoroperation to designate the delegated Security Lake administrator account. Designating the delegated Security Lake administrator through Organizations isn't supported. -
If you want to change the delegated administrator for the organization, you must first remove the current delegated administrator. You can then designate a new delegated administrator.
After the organization management account designates the delegated administrator, the administrator can enable and configure Security Lake for the organization. This includes enabling and configuring Security Lake to collect AWS log and event data for individual accounts in the organization. For more information, see Collecting data from AWS services.
The delegated administrator can also choose to automate the collection of
AWS log and event data for new organization accounts. With this
configuration, Security Lake is automatically enabled for new accounts when the
accounts are added to the organization in AWS Organizations. As the delegated
administrator, you can enable this configuration by using the CreateDataLakeOrganizationConfiguration operation of the
Security Lake API or, if you’re using the AWS CLI, by running the create-data-lake-organization-configuration
Removing the delegated Security Lake administrator
Only the organization management account can remove the delegated Security Lake administrator for their organization. If you want to change the delegated administrator for the organization, remove the current delegated administrator, and then designate the new delegated administrator.
Important
Removing the delegated Security Lake administrator deletes your data lake and disables Security Lake for the accounts in your organization.
Choose your access method, and follow the instructions to remove the delegated Security Lake administrator for your organization. You can't change or remove the delegated administrator by using the Security Lake console. These tasks can only be performed programmatically.
Security Lake trusted access
After you set up Security Lake for an organization, the AWS Organizations management account can enable trusted access with Security Lake. Trusted access allows Security Lake to create an IAM service-linked role and perform tasks in your organization and its accounts on your behalf. For more information, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.
As a user of the organization management account, you can disable trusted access for Security Lake in AWS Organizations. For instructions on disabling trusted access, see How to enable or disable trusted access in the AWS Organizations User Guide.
We recommend disabling trusted access if the delegated administrator's AWS account is suspended, isolated, or closed.
