Service-linked role for Security Lake
Security Lake uses an AWS Identity and Access Management (IAM) service-linked role named AWSServiceRoleForSecurityLake. This
service-linked role is an IAM role that's linked directly to Security Lake. It's predefined by
Security Lake, and it includes all the permissions that Security Lake requires to call other AWS services
on your behalf and operate the security data lake service. Security Lake uses this service-linked role in all
the AWS Regions where Security Lake is available.
The service-linked role eliminates the need to manually add the necessary permissions when setting up Security Lake. Security Lake defines the permissions of this service-linked role, and unless defined otherwise, only Security Lake can assume the role. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide. You can delete a service-linked role only after you delete its related resources. This protects your resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to review the service-linked role documentation for that service.
Topics
Service-linked role permissions for Security Lake
Security Lake uses the service-linked role named
AWSServiceRoleForSecurityLake. This service-linked role trusts the
securitylake.amazonaws.com service to assume the role. For more
information about, AWS managed policies for Amazon Security Lake, see AWS manage policies for Amazon Security Lake.
The permissions policy for the role, which is an AWS managed policy named SecurityLakeServiceLinkedRole, allows Security Lake to create and operate
the security data lake. It also allows Security Lake to perform tasks such as the following on the specified resources:
-
Use AWS Organizations actions to retrieve information about associated accounts
-
Use Amazon Elastic Compute Cloud (Amazon EC2) to retrieve information about Amazon VPC Flow Logs
-
Use AWS CloudTrail actions to retrieve information about the service-linked role
-
Use AWS WAF actions to collect AWS WAF logs, when it is enabled as a log source in Security Lake
-
Use
LogDeliveryaction to create or delete an AWS WAF log delivery subscription.
The role is configured with the following permissions policy:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "OrganizationsPolicies", "Effect": "Allow", "Action": [ "organizations:ListAccounts", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Sid": "DescribeOrgAccounts", "Effect": "Allow", "Action": [ "organizations:DescribeAccount" ], "Resource": [ "arn:aws:organizations::*:account/o-*/*" ] }, { "Sid": "AllowManagementOfServiceLinkedChannel", "Effect": "Allow", "Action": [ "cloudtrail:CreateServiceLinkedChannel", "cloudtrail:DeleteServiceLinkedChannel", "cloudtrail:GetServiceLinkedChannel", "cloudtrail:UpdateServiceLinkedChannel" ], "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/security-lake/*" }, { "Sid": "AllowListServiceLinkedChannel", "Effect": "Allow", "Action": [ "cloudtrail:ListServiceLinkedChannels" ], "Resource": "*" }, { "Sid": "DescribeAnyVpc", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs" ], "Resource": "*" }, { "Sid": "ListDelegatedAdmins", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securitylake.amazonaws.com" } } }, { "Sid": "AllowWafLoggingConfiguration", "Effect": "Allow", "Action": [ "wafv2:PutLoggingConfiguration", "wafv2:GetLoggingConfiguration", "wafv2:ListLoggingConfigurations", "wafv2:DeleteLoggingConfiguration" ], "Resource": "*", "Condition": { "StringEquals": { "wafv2:LogScope": "SecurityLake" } } }, { "Sid": "AllowPutLoggingConfiguration", "Effect": "Allow", "Action": [ "wafv2:PutLoggingConfiguration" ], "Resource": "*", "Condition": { "ArnLike": { "wafv2:LogDestinationResource": "arn:aws:s3:::aws-waf-logs-security-lake-*" } } }, { "Sid": "ListWebACLs", "Effect": "Allow", "Action": [ "wafv2:ListWebACLs" ], "Resource": "*" }, { "Sid": "LogDelivery", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:DeleteLogDelivery" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "wafv2.amazonaws.com" ] } } } ] }
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.
Creating the Security Lake service-linked role
You don't need to manually create the AWSServiceRoleForSecurityLake
service-linked role for Security Lake. When you enable Security Lake for your AWS account, Security Lake
automatically creates the service-linked role for you.
Editing the Security Lake service-linked role
Security Lake doesn't allow you to edit the AWSServiceRoleForSecurityLake
service-linked role. After a service-linked role is created, you can't change the name
of the role because various entities might reference the role. However, you can edit the
description of the role using IAM. For more information, see Editing a service-linked role in the
IAM User Guide.
Deleting the Security Lake service-linked role
You cannot delete the service-linked role from Security Lake. Instead, you may delete the service-linked role from the IAM console, API, or AWS CLI. For more information, see Deleting a service-linked role in the IAM User Guide.
Before you can delete the service-linked role, you must first confirm that the role has no active sessions and remove any
resources that AWSServiceRoleForSecurityLake is using.
Note
If Security Lake is using the AWSServiceRoleForSecurityLake role when you try to
delete the resources, the deletion might fail. If that happens, wait a few minutes
and then try the operation again.
If you delete the AWSServiceRoleForSecurityLake service-linked role and need to
create it again, you can create it again by enabling Security Lake for your account. When you
enable Security Lake again, Security Lake automatically creates the service-linked role again for you.
Supported AWS Regions for the Security Lake service-linked role
Security Lake supports using the AWSServiceRoleForSecurityLake service-linked role
in all the AWS Regions where Security Lake is available. For a list of Regions where Security Lake is
currently available, see Security Lake Regions and endpoints.
