Amazon Security Lake FAQs

Amazon Security Lake is a service that automates the sourcing, aggregation, normalization, and data management of security data across your organization into a security data lake stored in your account. A security data lake helps make your organization’s security data broadly accessible to your preferred security analytics solutions to power use cases such like threat detection, investigation, and incident response.

Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake stored in your account. Use Security Lake to analyze security data to get a more complete understanding of your security across the entire organization. You can also use Security Lake to help you improve the protection of your workloads, applications, and data. Security-related data includes service and application logs, security alerts, and threat intelligence (such as known malicious IP addresses), which are the source of truth for detecting, investigating, and remediating security incidents. Security best practice requires an effective log and security event data management process. Security Lake automates this process and facilitates solutions performing streaming analytics detections, time-series analytics, user and entity behavior analytics (UEBA), security orchestration and remediation (SOAR), and incident response. 

Amazon Security Lake automatically collects logs for AWS CloudTrail, Amazon Virtual Private Cloud (VPC), Amazon Route 53, Amazon Simple Storage Service (S3), and AWS Lambda. It also collects security findings through AWS Security Hub for AWS Config, AWS Firewall Manager, Amazon GuardDuty, AWS Health, AWS Identity and Access Management (IAM) Access Analyzer, Amazon Inspector, Amazon Macie, and AWS Systems Manager Patch Manager. You can also add data from third-party security solutions that support the Open Cybersecurity Schema Framework (OCSF) and your custom data. This data includes logs from internal applications or network infrastructure that you have converted into OCSF format.

Amazon Security Lake has adopted the OCSF, an open standard, which helps to automatically normalize security findings from over 50 solutions integrated through AWS Security Hub. For details, see AWS Security Hub Partners. There is also a growing number of technology solutions that can provide data in OCSF format and have integrated with Amazon Security Lake. For details, see Amazon Security Lake Partners.

The OCSF is a collaborative open-source schema for security logs and events. It includes a vendor-agnostic data taxonomy that reduces the need to normalize security log and event data across various products, services, and open-source tools.

When you open the Amazon Security Lake console for the first time, choose Get Started, and then choose Enable. Amazon Security Lake uses a service-linked role that includes the permissions and trust policy that allows Amazon Security Lake to collect data from your sources and grant access to subscribers. It is best practice to enable Amazon Security Lake in all supported AWS Regions. This allows Amazon Security Lake to collect and retain data that's connected to unauthorized or unusual activity, even in Regions that you are not actively using. If Amazon Security Lake is not enabled in all supported Regions, its ability to collect data that involves global services is reduced.

A rollup Region is an AWS Region that aggregates security logs and events from other specified Regions. When you enable Amazon Security Lake, you can specify one or more rollup Regions, which can help you comply with Regional compliance requirements.