Amazon Security Lake Features

Security Lake creates a purpose-built security data lake in your account. Security Lake collects log and event data from cloud, on-premises, and custom data sources across accounts and Regions. The service stores the gathered logs in your Amazon Simple Storage Service (S3) buckets, so you retain complete control and ownership over your data.

Security Lake automatically collects logs for the following services:

• AWS CloudTrail
• Amazon Virtual Private Cloud (VPC)
• Amazon Route 53
• Amazon Simple Storage Service (S3)
• AWS Lambda
• Amazon Elastic Kubernetes Service (EKS)
• AWS Web Application Firewall (WAF)

It also collects findings from AWS Security Hub, including findings originating from the following services: 

• AWS Config
• AWS Firewall Manager
• Amazon GuardDuty
• AWS Health
• AWS Identity and Access Management (IAM) Access Analyzer
• Amazon Inspector
• Amazon Macie
• AWS Systems Manager Patch Manager

Security Lake automatically normalizes AWS log and security findings to OCSF. You can add data from third-party security solutions, other cloud sources, and your custom data such as logs from internal applications or network infrastructure that you have converted into the OCSF format. With support for OCSF, Security Lake centralizes, transforms, and makes your security data available to your preferred analytics tools.

You can activate Security Lake across multiple Regions where the service is available and across multiple AWS accounts. You can aggregate security data across accounts on a per-Region basis or consolidate security data from multiple Regions into rollup Regions. Security Lake rollup Regions can help you comply with regional compliance requirements.

Security Lake helps you streamline setting up access to your data lake for your security and analytics tools. For example, you might choose to only grant access to datasets from specified sources, such as CloudTrail. There are two modes of access available: data access, which issues a notification when new objects are written to the data lake, and query access, which allows tools to query the data stored in your security data lake.

Security Lake manages the lifecycle of your data with customizable retention settings and storage costs with automated storage tiering. Security Lake automatically partitions and converts incoming security data to a storage- and query-efficient Apache Parquet format. Security Lake supports Apache Iceberg tables in AWS Glue catalog to help you easily transition your analytics tools to run queries with increased performance.

AWS AppFabric automatically normalizes SaaS application audit logs into the OCSF format and delivers normalized OCSF data to Security Lake. With the combination of Security Lake and AppFabric, you can easily aggregate, normalize, and visualize security data across key data sources. There are no fees associated with data normalization or data ingestion for the AppFabric integration with Security Lake. Standard AppFabric charges apply.

Amazon OpenSearch Service makes it easier for you to perform interactive log analytics and real-time application monitoring, and now it seamlessly integrates with Security Lake. This enables your organization to efficiently search, analyze, and gain actionable insights from your security data, helping to streamline complex data engineering requirements and unlock the full potential of your security data.  Key benefits of this integration include comprehensive visibility and access to all of your Security Lake data, faster security value, and simplified configuration. Additionally, this integration offers the potential for improved cost management. Features like direct querying of Security Lake data can help avoid data duplication. This integration also provides on-demand indexing of select data sets for advanced analytics, as well as pre-built queries and dashboards using the Open Cybersecurity Schema Framework (OCSF). By leveraging this integration, your organization can use the analytics and visualization capabilities of OpenSearch Service to perform deeper investigations, enhance threat hunting, and proactively monitor your security posture, all while potentially lowering your costs.