Managing multiple accounts with AWS Organizations

You can use Amazon Security Lake to collect security logs and events from multiple AWS accounts. To help automate and streamline the management of multiple accounts, we strongly recommend that you integrate Security Lake with AWS Organizations.

In Organizations, the account that you use to create the organization is called the management account. To integrate Security Lake with Organizations, the management account must designate a delegated Security Lake administrator account for the organization.

The delegated Security Lake administrator can enable Security Lake and configure Security Lake settings for member accounts. The delegated administrator can collect logs and events across the organization in all AWS Regions where Security Lake is enabled (regardless of which Regional endpoint they're currently using). The delegated administrator can also configure Security Lake to automatically collect log and event data for new organization accounts.

The delegated Security Lake administrator has access to log and event data for associated member accounts. Accordingly, they can configure Security Lake to collect data owned by associated member accounts. They can also grant subscribers permission to consume data owned by associated member accounts.

To enable Security Lake for multiple accounts in an organization, the organization management account must first designate a delegated Security Lake administrator account for the organization. The delegated administrator can then enable and configure Security Lake for the organization.

For information about setting up Organizations, see Creating and managing an organization in the AWS Organizations User Guide.

Important considerations for delegated Security Lake administrators

Take note of the following factors that define how a delegated administrator behaves in Security Lake:

The delegated administrator is the same in all Regions.

When you create the delegated administrator, it becomes the delegated administrator for every Region in which you enable Security Lake.

We recommend setting the Log Archive account as the Security Lake delegated administrator.

The Log Archive account is an AWS account that is dedicated to ingesting and archiving all security-related logs. Access to this account is typically limited to a few users, such as auditors and security teams for compliance investigations. We recommend setting the Log Archive account as the Security Lake delegated administrator so that you can view security-related logs and events with minimal context switching.

In addition, we recommend that only a minimal set of users have direct access to the Log Archive account. Outside of this select group, if a user needs access to the data that Security Lake collects, you can add them as a Security Lake subscriber. For information about adding a subscriber, see Subscriber management in Amazon Security Lake.

If you don't use the AWS Control Tower service, you may not have a Log Archive account. For more information about the Log Archive account, see Security OU – Log Archive account in the AWS Security Reference Architecture.

An organization can have only one delegated administrator.

You can have only one delegated Security Lake administrator for each organization.

The organization management account cannot be the delegated administrator.

Based on AWS Security best practices and the principle of least privilege, your organization management account cannot be the delegated administrator.

The delegated administrator must be part of an active organization.

When you delete an organization, the delegated administrator account can no longer manage Security Lake. You must designate a delegated administrator from a different organization or use Security Lake with a standalone account that's not part of an organization.

IAM permissions required to designate the delegated administrator

When designating the delegated Security Lake administrator, you must have permissions to enable Security Lake and use certain AWS Organizations API operations listed in the following policy statement.

You can add the following statement to the end of an AWS Identity and Access Management (IAM) policy to grant these permissions.

{
    "Sid": "Grant permissions to designate a delegated Security Lake administrator",
    "Effect": "Allow",
    "Action": [
        "securitylake:RegisterDataLakeDelegatedAdministrator",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListAccounts",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
    ],
    "Resource": "*"
}

Designating the delegated Security Lake administrator and adding member accounts

Choose your access method to designate the delegated Security Lake administrator account for your organization. Only the organization management account can designate the delegated administrator account for their organization. The organization management account cannot be the delegated administrator account for their organization.

Note

• The organization management account should use the Security Lake RegisterDataLakeDelegatedAdministrator operation to designate the delegated Security Lake administrator account. Designating the delegated Security Lake administrator through Organizations isn't supported.

• If you want to change the delegated administrator for the organization, you must first remove the current delegated administrator. You can then designate a new delegated administrator.

Console

1. Open the Security Lake console at https://console.aws.amazon.com/securitylake/.

   Sign in using the credentials of the management account for your organization.

2. • If Security Lake is not yet enabled, select Get Started, and then designate the delegated Security Lake administrator on the Enable Security Lake page.

   • If Security Lake is already enabled, designate the delegated Security Lake administrator on the Settings page.

3. Under Delegate administration to another account, select the account that already serves as the delegated administrator for other AWS security services (recommended). Alternatively, enter the 12-digit AWS account ID of the account that you want to designate as the delegated Security Lake administrator.

4. Choose Delegate. If Security Lake is not already enabled, designating the delegated administrator will enable Security Lake for that account in your current Region.

API

To designate the delegated administrator programmatically, use the RegisterDataLakeDelegatedAdministrator operation of the Security Lake API. You must invoke the operation from the organization management account. If you're using the AWS CLI, run the register-data-lake-delegated-administrator command from the organization management account. In your request, use the accountId parameter to specify the 12-digit account ID of the AWS account to designate as the delegated administrator account for the organization.

For example, the following AWS CLI command designates the delegated administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securitylake register-data-lake-delegated-administrator \
--account-id 123456789012

The delegated administrator can also choose to automate the collection of AWS log and event data for new organization accounts. With this configuration, Security Lake is automatically enabled in new accounts when the accounts are added to the organization in AWS Organizations. As the delegated administrator, you can enable this configuration by using the CreateDataLakeOrganizationConfiguration operation of the Security Lake API or, if you’re using the AWS CLI, by running the create-data-lake-organization-configuration command. In your request, you can also specify certain configuration settings for new accounts.

For example, the following AWS CLI command automatically enables Security Lake and the collection of Amazon Route 53 resolver query logs, AWS Security Hub findings, and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs in new organization accounts. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securitylake create-data-lake-organization-configuration \
--auto-enable-new-account '[{"region":"us-east-1","sources":[{"sourceName":"ROUTE53"},{"sourceName":"SH_FINDINGS"},{"sourceName":"VPC_FLOW"}]}]'

After the organization management account designates the delegated administrator, the administrator can enable and configure Security Lake for the organization. This includes enabling and configuring Security Lake to collect AWS log and event data for individual accounts in the organization. For more information, see Collecting data from AWS services.

You can use the GetDataLakeOrganizationConfiguration operation to get details about your organization's current configuration for new member accounts.

Removing the delegated Security Lake administrator

Only the organization management account can remove the delegated Security Lake administrator for their organization. If you want to change the delegated administrator for the organization, remove the current delegated administrator, and then designate the new delegated administrator.

Important

Removing the delegated Security Lake administrator deletes your data lake and disables Security Lake for the accounts in your organization.

You can't change or remove the delegated administrator by using the Security Lake console. These tasks can only be performed programmatically.

To remove the delegated administrator programmatically, use the DeregisterDataLakeDelegatedAdministrator operation of the Security Lake API. You must invoke the operation from the organization management account. The If you're using the AWS CLI, run the deregister-data-lake-delegated-administrator command from the organization management account.

For example, the following AWS CLI command removes the delegated Security Lake administrator.

$ aws securitylake deregister-data-lake-delegated-administrator

To keep the delegated administrator designation but change the automatic configuration settings of new member accounts, use the DeleteDataLakeOrganizationConfiguration operation of the Security Lake API, or, if you're using the AWS CLI, the delete-data-lake-organization-configuration command. Only the delegated administrator can change these settings for the organization.

For example, the following AWS CLI command stops the automatic collection of Security Hub findings from new member accounts that join the organization. New member accounts won't contribute Security Hub findings to the data lake after the delegated administrator invokes this operation. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securitylake delete-data-lake-organization-configuration \
--auto-enable-new-account '[{"region":"us-east-1","sources":[{"sourceName":"SH_FINDINGS"}]}]'

Security Lake trusted access

After you set up Security Lake for an organization, the AWS Organizations management account can enable trusted access with Security Lake. Trusted access allows Security Lake to create an IAM service-linked role and perform tasks in your organization and its accounts on your behalf. For more information, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.

As a user of the organization management account, you can disable trusted access for Security Lake in AWS Organizations. For instructions on disabling trusted access, see How to enable or disable trusted access in the AWS Organizations User Guide.

We recommend disabling trusted access if the delegated administrator's AWS account is suspended, isolated, or closed.