Prerequisites
You must meet the following prerequisites before launching the stack.
Security Lake setup
The Amazon Security Lake centralizes your security data using Lake Formation and Amazon S3 buckets. Before deploying this solution, enable and configure your Security Lake. For more information about Security Lake, see the Getting started with Amazon Security Lake in the Amazon Security Lake User Guide.
Security Lake table sharing
If you're deploying the solution in the delegated admin account for the Security Lake, you don't need additional setup.
If you're deploying this solution in any other account, share
the Security Lake tables with the deployment account using the
Security Lake service console. You can create a subscriber
from the Security Lake console, and then Security Lake shares the data tables with
another account. This creates an
AWS Resource
Access Manager
Rollup Region
If you want the solution to show security insights for your entire AWS Organization, deploy the solution in the rollup Region selected when you set up your Security Lake. The rollup Region has centralized data for your entire AWS Organization. The solution uses the Lake Formation database that your Security Lake created in this rollup Region to query and get data. If you don't deploy the solution in the rollup Region, the solution only generates insights from the data within the deployed Region. For more information, see Step 2: Define storage settings and rollup Regions (optional) and Managing multiple accounts with AWS Organizations in the Amazon Security Lake User Guide.
QuickSight admin account
The solution uses QuickSight to show insights for data within your Security Lake. You must have a QuickSight admin account to deploy the solution and provide the Amazon Resource Name (ARN) for the admin user as one of the parameters to the solution. For more information, see Create an administrative user and Managing user access inside Amazon QuickSight in the Amazon QuickSight User Guide.
QuickSight uses a service role to access data from Athena and
Amazon S3. This solution adds QuickSight as the one of the
principals for the Lake Formation database and tables. The
solution only provides SELECT
and DESCRIBE
access to this
role. This is required so that:
-
The solution can refresh the QuickSight datasets
-
QuickSight can run Athena queries on the data in the Lake Formation database
For more information, see Lake Formation permissions reference in the AWS Lake Formation Developer Guide and Authorizing connections to Amazon Athena in the Amazon QuickSight User Guide.
QuickSight access to S3 buckets
To gain insights from the Security Lake data, QuickSight requires access to the S3 buckets created by the Security Lake service. Follow these instructions to authorize QuickSight to access your S3 buckets.
-
Sign in to the QuickSight console
. -
Select the user icon in the top menu, then choose the US East (N. Virginia) Region. You use this AWS Region temporarily while you edit your account permissions.
-
Follow the instructions for Setting up Amazon QuickSight to access Amazon S3 files in another AWS account in the Amazon QuickSight User Guide.
-
If you changed your AWS Region during the first step of this process, change it back to the AWS Region that you want to use.
Admin Pro or Author Pro role to enable Amazon Q in QuickSight
To use the Amazon Q in QuickSight feature (Q topics) with this solution, the QuickSight admin needs an Admin Pro or Author Pro role. To learn more about these roles and upgrade your account, see Get started with Generative BI in the Amazon QuickSight User Guide.
Data sources
The solution creates a QuickSight analysis and dashboard to show insights from four supported data sources.
Important
For this solution to work properly, your Security Lake queries must use source version 2. For more information, see Security Lake queries for source version 2 and Source management in Amazon Security Lake.
To see these visualizations and insights, enable the data sources in Security Lake. If the data source isn't enabled, QuickSight won't show data for the corresponding sheet in the analysis. For example, If the VPC Flow Logs data source is not enabled in the Security Lake, the VPC Flow Logs sheet won't show data in the analysis. For more information, see Source management in Amazon Security Lake in the Amazon Security Lake User Guide.
AWS AppFabric setup
AWS AppFabric connects software as a service (SaaS) applications across your organization. You can get your SaaS audit logs into Amazon Security Lake in your AWS account by adding a custom source to Security Lake.
To set up AWS AppFabric, see Getting started with AWS AppFabric for security.
To use AWS AppFabric with your Security Lake, see AppFabric audit log ingestion considerations.