Amazon Security Lake Documentation

Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake stored in your account. Use Security Lake to analyze security data. Get a more complete understanding of your security across your entire organization, and improve the protection of your workloads, applications, and data. Security Lake gathers and manages your security data across accounts and Regions. Use your preferred analytics tools while retaining control and ownership of your security data. Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service can normalize and combine security data from AWS and a broad range of enterprise security data sources. Now, your analysts and engineers can get broad visibility to investigate and respond to security events and improve your security across the cloud and on premises.

Amazon Security Lake creates a purpose-built security data lake in your account. Security Lake collects log and event data from cloud, on-premises, and custom data sources across accounts and Regions. The service stores the gathered logs in your Amazon Simple Storage Service (S3) buckets, so you retain control and ownership of your data.

Security Lake collects logs for the following services:

• AWS CloudTrail
• Amazon Virtual Private Cloud (VPC)
• Amazon Route 53
• Amazon Simple Storage Service (S3)
• AWS Lambda
  

Security Lake also collects security findings through AWS Security Hub for the following services:

• AWS Config
• AWS Firewall Manager
• Amazon GuardDuty
• AWS Health
• AWS Identity and Access Management (IAM) Access Analyzer
• Amazon Inspector
• Amazon Macie
• AWS Systems Manager Patch Manager

Amazon Security Lake normalizes AWS log and security findings to OCSF. This includes AWS CloudTrail management events, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon Route 53 Resolver query logs, and security findings from solutions integrated through AWS Security Hub. You can add data from third-party security solutions and your custom data such as logs from internal applications or network infrastructure that you have converted into OCSF format. With support for OCSF, Security Lake helps centralize, transform, and make your security data available to your preferred analytics tools.

You can enable Amazon Security Lake across multiple AWS Regions where the service is available and across multiple AWS accounts. You can aggregate security data across accounts on a per-Region basis or consolidate security data from multiple Regions into rollup Regions. Security Lake rollup Regions can help you comply with Regional compliance requirements.

Streamline setting up access to your data lake for your security and analytics tools. For example, you might choose to only grant access to datasets from specified sources like CloudTrail. There are two modes of access. You can grant streaming access to your tools so that a notification is issued when new objects are written to the data lake. The other mode is query access, which allows tools to query the data stored in your security data lake.

Amazon Security Lake manages the lifecycle of your data with customizable retention settings and storage costs with automated storage tiering. Security Lake automatically partitions and converts incoming security data to a storage-and-query-efficient Apache Parquet format.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.