Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, on premises, and cloud sources into a purpose-built data lake stored in your account. Security Lake makes it easier to analyze security data, gain a more comprehensive understanding of security across your entire organization, and improve the protection of your workloads, applications, and data. Security Lake automates the collection and management of your security data across accounts and AWS Regions so that you can use your preferred analytics tools while retaining control and ownership over your security data. Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service normalizes and combines security data from AWS and a broad range of enterprise security data sources. With Security Lake, your team of analysts and security engineers can get broad visibility to investigate and respond to security events, facilitating timely responses, and to improve your security across multicloud and hybrid environments.
Data aggregation in your account
Security Lake creates a purpose-built security data lake in your account. Security Lake collects log and event data from cloud, on-premises, and custom data sources across accounts and Regions. The service stores the gathered logs in your Amazon Simple Storage Service (S3) buckets, so you retain complete control and ownership over your data.
Various supported AWS and third-party log and event sources
Security Lake automatically collects logs for the following services:
- AWS CloudTrail
- Amazon Virtual Private Cloud (VPC)
- Amazon Route 53
- Amazon Simple Storage Service (S3)
- AWS Lambda
- Amazon Elastic Kubernetes Service (EKS)
It also collects security findings through AWS Security Hub for the following services:
- AWS Config
- AWS Firewall Manager
- Amazon GuardDuty
- AWS Health
- AWS Identity and Access Management (IAM) Access Analyzer
- Amazon Inspector
- Amazon Macie
- AWS Systems Manager Patch Manager
Data normalization and support for OCSF
Security Lake automatically normalizes AWS log and security findings to OCSF. You can add data from third-party security solutions, other cloud sources, and your custom data such as logs from internal applications or network infrastructure that you have converted into the OCSF format. With support for OCSF, Security Lake centralizes, transforms, and makes your security data available to your preferred analytics tools.
Multi-account and multi-Region support
You can activate Security Lake across multiple Regions where the service is available and across multiple AWS accounts. You can aggregate security data across accounts on a per-Region basis or consolidate security data from multiple Regions into rollup Regions. Security Lake rollup Regions can help you comply with regional compliance requirements.
Security data lake access management
Security Lake helps you streamline setting up access to your data lake for your security and analytics tools. For example, you might choose to only grant access to datasets from specified sources, such as CloudTrail. There are two modes of access available: data access, which issues a notification when new objects are written to the data lake, and query access, which allows tools to query the data stored in your security data lake.
Data lifecycle management and optimization
Security Lake manages the lifecycle of your data with customizable retention settings and storage costs with automated storage tiering. Security Lake automatically partitions and converts incoming security data to a storage- and query-efficient Apache Parquet format. Security Lake supports Apache Iceberg tables in AWS Glue catalog to help you easily transition your analytics tools to run queries with increased performance.
Security observability with AWS AppFabric
AWS AppFabric automatically normalizes SaaS application audit logs into the OCSF format and delivers normalized OCSF data to Security Lake. With the combination of Security Lake and AppFabric, you can easily aggregate, normalize, and visualize security data across key data sources. There are no fees associated with data normalization or data ingestion for the AppFabric integration with Security Lake. Standard AppFabric charges apply.