Amazon Security Lake FAQs

Page topics

General

General

Amazon Security Lake is a service that automates the sourcing, aggregation, normalization, and data management of security data across your organization into a security data lake stored in your account. A security data lake helps make your organization’s security data broadly accessible to your preferred security analytics solutions to power use cases such as threat detection, investigation, and incident response.

Security Lake automatically centralizes security data from AWS environments, SaaS providers, on premises, and cloud sources into a purpose-built data lake stored in your account. Use Security Lake to analyze security data, gain a more comprehensive understanding of security across the entire organization, and improve the protection of your workloads, applications, and data. Security-related data includes service and application logs, security alerts, and threat intelligence (such as known malicious IP addresses), which are essential for detecting, investigating, and remediating security incidents. Security best practices require an effective log and security event data management process. Security Lake automates this process and facilitates solutions performing streaming analytics detections, time-series analytics, user and entity behavior analytics (UEBA), security orchestration and remediation (SOAR), and incident response.

The Open Cybersecurity Schema Framework (OCSF) is a collaborative open-source schema for security logs and events. It includes a vendor-agnostic data taxonomy that reduces the need to normalize security log and event data across various products, services, and open-source tools.

Security Lake automatically collects logs for the following services:

  • AWS CloudTrail
  • Amazon Virtual Private Cloud (VPC)
  • Amazon Route 53
  • Amazon Simple Storage Service (S3)
  • AWS Lambda
  • Amazon Elastic Kubernetes Service (EKS) 
  • AWS Web Application Firewall (WAF)

It also collects security findings through AWS Security Hub for the following services:

  • AWS Config
  • AWS Firewall Manager
  • Amazon GuardDuty
  • AWS Health
  • AWS Identity and Access Management (IAM) Access Analyzer
  • Amazon Inspector
  • Amazon Macie
  • AWS Systems Manager Patch Manager

In addition, you can add data from third-party security solutions, other cloud sources, and your own custom data that supports the OCSF. This data includes logs from internal applications or network infrastructure that you have converted into the OCSF format.

Yes, you can try the service for 15 days at no cost with any new account to Security Lake with the AWS Free Tier. You have access to the full set of features during the free trial.

Security Lake automates the sourcing, aggregation, normalization, and management of security-related data from cloud, on-premises, and custom sources into a security data lake stored in your AWS account. Security Lake has adopted the OCSF, an open standard. With OCSF support, the service can normalize and combine security data from AWS and a broad range of enterprise security sources. AWS CloudTrail Lake is a managed audit and security lake. It allows you to aggregate, immutably store, and query audit and security logs from AWS (CloudTrail events, configuration items from AWS Config, audit evidence from AWS Audit Manager) and outside sources (in-house or SaaS applications hosted on premises or in the cloud, virtual machines, or containers). This data can then be stored for up to 7 years in a CloudTrail Lake event data store, at no additional cost, and investigated with the CloudTrail Lake built-in SQL query engine.

Turning on CloudTrail is a prerequisite to collect and deliver CloudTrail management event logs to customer S3 buckets through any AWS service. For example, to deliver CloudTrail management event logs to Amazon CloudWatch logs, a trail needs to be created first. Since Security Lake delivers CloudTrail management events at an organization level to a customer-owned S3 bucket, it requires an organization trail in CloudTrail with management events activated.

Security Lake can receive security findings from 50 solutions through the AWS Security Hub integration. For details, see AWS Security Hub Partners. There is also a growing number of technology solutions that can provide data in the OCSF format and be integrated with Security Lake. For details, see Amazon Security Lake Partners.

When you first open the Security Lake console, choose Get Started, and then choose Enable. Security Lake uses a service-linked role that includes the permissions and trust policy that allows Security Lake to collect data from your sources and grant access to subscribers. It is best practice to enable Security Lake in all supported AWS Regions. This allows Security Lake to collect and retain data that's connected to unauthorized or unusual activity, even in Regions that you are not actively using. If Security Lake is not enabled in all supported Regions, its ability to collect data that involves global services is reduced.

A rollup Region is a Region that aggregates security logs and events from other specified Regions. When you enable Security Lake, you can specify one or more rollup Regions, which can help you comply with regional compliance requirements.

Security Lake Regional availability is listed in the Amazon Security Lake endpoints page.