AWS::SecurityLake::DataLake
Initializes an Amazon Security Lake instance with the provided (or default) configuration. You
can enable Security Lake in Amazon Web Services Regions with customized settings before enabling
log collection in Regions. To specify particular Regions, configure these Regions using the
configurations parameter. If you have already enabled Security Lake in a Region
when you call this command, the command will update the Region if you provide new
configuration parameters. If you have not already enabled Security Lake in the Region when you
call this API, it will set up the data lake in the Region with the specified
configurations.
When you enable Security Lake, it starts ingesting security data after the
CreateAwsLogSource call. This includes ingesting security data from
sources, storing data, and making data accessible to subscribers. Security Lake also enables
all the existing settings and resources that it stores or maintains for your Amazon account in the current Region, including security log and event data. For
more information, see the Amazon Security Lake User
Guide.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SecurityLake::DataLake", "Properties" : { "EncryptionConfiguration" :EncryptionConfiguration, "LifecycleConfiguration" :LifecycleConfiguration, "MetaStoreManagerRoleArn" :String, "ReplicationConfiguration" :ReplicationConfiguration, "Tags" :[ Tag, ... ]} }
YAML
Type: AWS::SecurityLake::DataLake Properties: EncryptionConfiguration:EncryptionConfigurationLifecycleConfiguration:LifecycleConfigurationMetaStoreManagerRoleArn:StringReplicationConfiguration:ReplicationConfigurationTags:- Tag
Properties
EncryptionConfiguration-
Provides encryption details of the Amazon Security Lake object.
Required: No
Type: EncryptionConfiguration
Update requires: No interruption
LifecycleConfiguration-
You can customize Security Lake to store data in your preferred Amazon Regions for your preferred amount of time. Lifecycle management can help you comply with different compliance requirements. For more details, see Lifecycle management in the Amazon Security Lake User Guide.
Required: No
Type: LifecycleConfiguration
Update requires: No interruption
MetaStoreManagerRoleArn-
The Amazon Resource Name (ARN) used to create and update the Amazon Glue table. This table contains partitions generated by the ingestion and normalization of Amazon log sources and custom sources.
Required: No
Type: String
Pattern:
^arn:.*$Update requires: Replacement
ReplicationConfiguration-
Provides replication details of Amazon Security Lake object.
Required: No
Type: ReplicationConfiguration
Update requires: No interruption
-
An array of objects, one for each tag to associate with the data lake configuration. For each tag, you must specify both a tag key and a tag value. A tag value cannot be null, but it can be an empty string.
Required: No
Type: Array of Tag
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic ref function, ref returns the DataLake name.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn-
The Amazon Resource Name (ARN) of the data lake.
S3BucketArn-
The Amazon Resource Name (ARN) of the Amazon S3 bucket.
Examples
Enable Security Lake in two accounts for three log sources
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources, this can be used as a rollup region.", "Parameters": { "RoleName": { "Type": "String", "Default": "Provide a name if Security Lake has not been enabled from console", "Description": "Prefix for role name with managed policy" }, "Account1": { "Type": "String", "Default": "Enter an account for Security Lake to enable log sources", "Description": "Account number to enable logs" }, "Account2": { "Type": "String", "Default": "Enter another account for Security Lake to enable log sources", "Description": "Account number n to enable logs" } }, "Resources": { "AmazonSecurityLakeMetaStoreManagerRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${RoleName}-SecurityLakeMetasStoreManager" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager" ] } }, "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": 2 }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": 2 }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": 2 }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS and two sources, this can be used as a rollup region. Parameters: RoleName: Type: String Default: Provide a name if Security Lake has not been enabled from console Description: Prefix for role name with managed policy Account1: Type: String Default: Enter an account for Security Lake to enable log sources Description: Account number to enable logs Account2: Type: String Default: Enter another account for Security Lake to enable log sources Description: Account number n to enable logs Resources: AmazonSecurityLakeMetaStoreManagerRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: ${RoleName}-SecurityLakeMetasStoreManager AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: 2.0 DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: 2.0 DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: 2.0 DependsOn: SecurityLakeSourcesSecurityHub
Enable Security Lake in all accounts for three log sources
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources. This can be used as a centralized Region.", "Parameters": { "RoleName": { "Type": "String", "Default": "Provide a name if Security Lake has not been enabled from console", "Description": "Prefix for role name with managed policy" }, }, "Resources": { "AmazonSecurityLakeMetaStoreManagerRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${RoleName}-SecurityLakeMetasStoreManager" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager" ] } }, "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": 2 }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": 2 }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": 2 }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS on three sources and all accounts. This can be used as a centralized Region. Parameters: RoleName: Type: String Default: Provide a name if Security Lake has not been enabled from console Description: Prefix for role name with managed policy Resources: AmazonSecurityLakeMetaStoreManagerRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: ${RoleName}-SecurityLakeMetasStoreManager AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: 2.0 DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: 2.0 DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: 2.0 DependsOn: SecurityLakeSourcesSecurityHub
Deploys a contributing Security Lake Region
Enables Security lake in two accounts for three logs sources as a contributing Region.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources, replicates to one region.", "Parameters": { "Account1": { "Type": "String", "Default": "Enter an account for Security Lake to enable log sources", "Description": "Account number to enable logs" }, "Account2": { "Type": "String", "Default": "Enter another account for Security Lake to enable log sources", "Description": "Account number n to enable logs" }, "ReplicationRegionDestination": { "Type": "String", "Default": "Enter destination region", "Description": "Centralized destination region" }, "MetaStoreRoleArn": { "Type": "String", "Default": "Security Lake Metastore Manager Role", "Description": "arn for AWS Security Lake Metastore Manager Role" }, "ReplicationRoleArn": { "Type": "String", "Default": "Replication Role ARN", "Description": "Replication role arn that supports rollup to destination region" } }, "Resources": { "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Ref": "MetaStoreRoleArn" }, "ReplicationConfiguration": { "Regions": [ { "Ref": "ReplicationRegionDestination" } ], "RoleArn": "arn:aws:iam::491223689189:role/SecurityLake-Replication-Role" } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": 2 }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": 2 }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": 2 }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS and two sources, replicates to one region. Parameters: Account1: Type: String Default: Enter an account for Security Lake to enable log sources Description: Account number to enable logs Account2: Type: String Default: Enter another account for Security Lake to enable log sources Description: Account number n to enable logs ReplicationRegionDestination: Type: String Default: Enter destination region Description: Centralized destination region MetaStoreRoleArn: Type: String Default: Security Lake Metastore Manager Role Description: arn for AWS Security Lake Metastore Manager Role ReplicationRoleArn: Type: String Default: Replication Role ARN Description: Replication role arn that supports rollup to destination region Resources: SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Ref: MetaStoreRoleArn ReplicationConfiguration: Regions: - Ref: ReplicationRegionDestination RoleArn: arn:aws:iam::491223689189:role/SecurityLake-Replication-Role SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: 2.0 DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: 2.0 DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: 2.0 DependsOn: SecurityLakeSourcesSecurityHub
Configure with KMS
For each Region add the encryption configuration parameter and assign respective KMS ARN for your Region.
JSON
{ "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] }, "EncryptionConfiguration": { "KmsKeyId": { "Ref": "KmsArn" } } } } }
YAML
SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn EncryptionConfiguration: KmsKeyId: Ref: KmsArn