Amazon Security Lake FAQs

Amazon Security Lake is a service that automates the sourcing, aggregation, normalization, and data management of security data across your organization into a security data lake stored in your account. A security data lake helps make your organization’s security data broadly accessible to your preferred security analytics solutions to power use cases such as threat detection, investigation, and incident response.

Security Lake automatically centralizes security data from AWS environments, SaaS providers, on premises, and cloud sources into a purpose-built data lake stored in your account. Use Security Lake to analyze security data, gain a more comprehensive understanding of security across the entire organization, and improve the protection of your workloads, applications, and data. Security-related data includes service and application logs, security alerts, and threat intelligence (such as known malicious IP addresses), which are essential for detecting, investigating, and remediating security incidents. Security best practices require an effective log and security event data management process. Security Lake automates this process and facilitates solutions performing streaming analytics detections, time-series analytics, user and entity behavior analytics (UEBA), security orchestration and remediation (SOAR), and incident response.

The Open Cybersecurity Schema Framework (OCSF) is a collaborative open-source schema for security logs and events. It includes a vendor-agnostic data taxonomy that reduces the need to normalize security log and event data across various products, services, and open-source tools.

Security Lake automatically collects logs for the following services:

• AWS CloudTrail
• Amazon Virtual Private Cloud (VPC)
• Amazon Route 53
• Amazon Simple Storage Service (S3)
• AWS Lambda
• Amazon Elastic Kubernetes Service (EKS) 
• AWS Web Application Firewall (WAF)

It also collects security findings through AWS Security Hub for the following services:

• AWS Config
• AWS Firewall Manager
• Amazon GuardDuty
• AWS Health
• AWS Identity and Access Management (IAM) Access Analyzer
• Amazon Inspector
• Amazon Macie
• AWS Systems Manager Patch Manager

In addition, you can add data from third-party security solutions, other cloud sources, and your own custom data that supports the OCSF. This data includes logs from internal applications or network infrastructure that you have converted into the OCSF format.

Yes, you can try the service for 15 days at no cost with any new account to Security Lake with the AWS Free Tier. You have access to the full set of features during the free trial.

The integration between Amazon OpenSearch Service and Amazon Security Lake offers a streamlined experience for directly searching, gaining insights from, and analyzing data stored in Security Lake, all within the Amazon OpenSearch Service. There are two ways you can integrate Security Lake and OpenSearch Service: on-demand data access and continuous ingestion. The on-demand option is ideal for voluminous log sources with infrequent access, allowing users to analyze data without upfront ingestion costs. Alternatively, the continuous ingestion method is suitable for real-time analysis and provides faster access to high-value security sources like AWS Security Hub findings and AWS CloudTrail management events.

Security Lake automates the sourcing, aggregation, normalization, and management of security-related data from cloud, on-premises, and custom sources into a security data lake stored in your AWS account. Security Lake has adopted the OCSF, an open standard. With OCSF support, the service can normalize and combine security data from AWS and a broad range of enterprise security sources. AWS CloudTrail Lake is a managed audit and security lake. It allows you to aggregate, immutably store, and query audit and security logs from AWS (CloudTrail events, configuration items from AWS Config, audit evidence from AWS Audit Manager) and outside sources (in-house or SaaS applications hosted on premises or in the cloud, virtual machines, or containers). This data can then be stored for up to 7 years in a CloudTrail Lake event data store, at no additional cost, and investigated with the CloudTrail Lake built-in SQL query engine.

To get started, you first need to have an existing Security Lake setup in your AWS environment. This will provide the centralized storage and access to your enterprise security data.

Once Security Lake is configured, you can enable the integration with Amazon OpenSearch Service. To do this, navigate to the Security Lake console in the AWS Management Console and create a subscriber for the account you plan to use for Amazon OpenSearch. Next, go to the Amazon OpenSearch Service console and configure a data source for Security Lake. This process involves configuring the necessary permissions and access controls to allow OpenSearch Service to securely access and query the data in your Security Lake.

You can then explore the pre-built queries and integrations available through OCSF to quickly get started in OpenSearch Service Dashboards with common security analytics use cases. You also have the option to configure on-demand indexing of specific data sets from your Security Lake into OpenSearch Service for advanced analytics and visualization needs.

With the integration set up, you can begin querying and analyzing your security data directly from the Dashboard, leveraging the powerful search, analytics, and visualization capabilities it provides. You can also customize dashboards and other monitoring features in OpenSearch Service to fit your specific security requirements and workflows.

Turning on CloudTrail is a prerequisite to collect and deliver CloudTrail management event logs to customer S3 buckets through any AWS service. For example, to deliver CloudTrail management event logs to Amazon CloudWatch logs, a trail needs to be created first. Since Security Lake delivers CloudTrail management events at an organization level to a customer-owned S3 bucket, it requires an organization trail in CloudTrail with management events activated.

Security Lake can receive security findings from 50 solutions through the AWS Security Hub integration. For details, see AWS Security Hub Partners. There is also a growing number of technology solutions that can provide data in the OCSF format and be integrated with Security Lake. For details, see Amazon Security Lake Partners.

When you first open the Security Lake console, choose Get Started, and then choose Enable. Security Lake uses a service-linked role that includes the permissions and trust policy that allows Security Lake to collect data from your sources and grant access to subscribers. It is best practice to enable Security Lake in all supported AWS Regions. This allows Security Lake to collect and retain data that's connected to unauthorized or unusual activity, even in Regions that you are not actively using. If Security Lake is not enabled in all supported Regions, its ability to collect data that involves global services is reduced.

A rollup Region is a Region that aggregates security logs and events from other specified Regions. When you enable Security Lake, you can specify one or more rollup Regions, which can help you comply with regional compliance requirements.

Security Lake Regional availability is listed in the Amazon Security Lake endpoints page.