Data aggregation in your account

Security Lake creates a purpose-built security data lake in your account. Security Lake collects log and event data from cloud, on-premises, and custom data sources across accounts and Regions. The service stores the gathered logs in your Amazon Simple Storage Service (S3) buckets, so you retain complete control and ownership over your data.

Various supported AWS and third-party log and event sources

Security Lake automatically collects logs for the following services:

  • AWS CloudTrail
  • Amazon Virtual Private Cloud (VPC)
  • Amazon Route 53
  • Amazon Simple Storage Service (S3)
  • AWS Lambda
  • Amazon Elastic Kubernetes Service (EKS)
  • AWS Web Application Firewall (WAF)

It also collects security findings through AWS Security Hub for the following services:

  • AWS Config
  • AWS Firewall Manager
  • Amazon GuardDuty
  • AWS Health
  • AWS Identity and Access Management (IAM) Access Analyzer
  • Amazon Inspector
  • Amazon Macie
  • AWS Systems Manager Patch Manager

Data normalization and support for OCSF

Security Lake automatically normalizes AWS log and security findings to OCSF. You can add data from third-party security solutions, other cloud sources, and your custom data such as logs from internal applications or network infrastructure that you have converted into the OCSF format. With support for OCSF, Security Lake centralizes, transforms, and makes your security data available to your preferred analytics tools.

Multi-account and multi-Region support

You can activate Security Lake across multiple Regions where the service is available and across multiple AWS accounts. You can aggregate security data across accounts on a per-Region basis or consolidate security data from multiple Regions into rollup Regions. Security Lake rollup Regions can help you comply with regional compliance requirements.

Security data lake access management

Security Lake helps you streamline setting up access to your data lake for your security and analytics tools. For example, you might choose to only grant access to datasets from specified sources, such as CloudTrail. There are two modes of access available: data access, which issues a notification when new objects are written to the data lake, and query access, which allows tools to query the data stored in your security data lake.

Data lifecycle management and optimization

Security Lake manages the lifecycle of your data with customizable retention settings and storage costs with automated storage tiering. Security Lake automatically partitions and converts incoming security data to a storage- and query-efficient Apache Parquet format. Security Lake supports Apache Iceberg tables in AWS Glue catalog to help you easily transition your analytics tools to run queries with increased performance.

Security observability with AWS AppFabric

AWS AppFabric automatically normalizes SaaS application audit logs into the OCSF format and delivers normalized OCSF data to Security Lake. With the combination of Security Lake and AppFabric, you can easily aggregate, normalize, and visualize security data across key data sources. There are no fees associated with data normalization or data ingestion for the AppFabric integration with Security Lake. Standard AppFabric charges apply.