This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html).
# AWS::SecurityLake::AwsLogSource
Adds a natively supported Amazon service as an Amazon source. Enables source types for member accounts in required Amazon Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an Amazon service as a source, Security Lake starts collecting logs and events from it.
**Important**
If you want to create multiple sources using `AWS::SecurityLake::AwsLogSource`, you must use the `DependsOn` attribute to create the sources sequentially. With the `DependsOn` attribute you can specify that the creation of a specific `AWSLogSource`follows another. When you add a `DependsOn` attribute to a resource, that resource is created only after the creation of the resource specified in the `DependsOn` attribute. For an example, see [Add Amazon log sources](https://docs.amazonaws.cn//AWSCloudFormation/latest/UserGuide/aws-resource-securitylake-awslogsource.html#aws-resource-securitylake-awslogsource--examples).
## Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
### JSON
```
{
"Type" : "AWS::SecurityLake::AwsLogSource",
"Properties" : {
"[Accounts](#cfn-securitylake-awslogsource-accounts)" : {{[ String, ... ]}},
"[DataLakeArn](#cfn-securitylake-awslogsource-datalakearn)" : {{String}},
"[SourceName](#cfn-securitylake-awslogsource-sourcename)" : {{String}},
"[SourceVersion](#cfn-securitylake-awslogsource-sourceversion)" : {{String}}
}
}
```
### YAML
```
Type: AWS::SecurityLake::AwsLogSource
Properties:
[Accounts](#cfn-securitylake-awslogsource-accounts): {{
- String}}
[DataLakeArn](#cfn-securitylake-awslogsource-datalakearn): {{String}}
[SourceName](#cfn-securitylake-awslogsource-sourcename): {{String}}
[SourceVersion](#cfn-securitylake-awslogsource-sourceversion): {{String}}
```
## Properties
`Accounts`
Specify the Amazon account information where you want to enable Security Lake.
*Required*: No
*Type*: Array of String
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`DataLakeArn`
The Amazon Resource Name (ARN) used to create the data lake.
*Required*: Yes
*Type*: String
*Minimum*: `1`
*Maximum*: `256`
*Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`SourceName`
The name for a Amazon source. This must be a Regionally unique value. For the list of sources supported by Amazon Security Lake see [Collecting data from Amazon services](https://docs.amazonaws.cn//security-lake/latest/userguide/internal-sources.html) in the Amazon Security Lake User Guide.
*Required*: Yes
*Type*: String
*Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
`SourceVersion`
The version for a Amazon source. For more details about source versions supported by Amazon Security Lake see [OCSF source identification](https://docs.amazonaws.cn//security-lake/latest/userguide/open-cybersecurity-schema-framework.html#ocsf-source-identification) in the Amazon Security Lake User Guide. This must be a Regionally unique value.
*Required*: Yes
*Type*: String
*Pattern*: `^(latest|[0-9]\.[0-9])$`
*Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)
## Return values
### Ref
When you pass the logical ID of this resource to the intrinsic `ref` function, `ref` returns the `AwsLogSource` name. For example, `VPC_FLOW`.
For more information about using the `Ref` function, see [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).
## Examples
### Add Amazon log sources
After deploying Security Lake, use this example to add Amazon log sources.
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Security Lake Already Deployed",
"Resources": {
"SecurityLakeSourcesRoute53": {
"Type": "AWS::SecurityLake::AwsLogSource",
"Properties": {
"DataLakeArn": {
"Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
},
"SourceName": "ROUTE53",
"SourceVersion": "2.0"
}
},
"SecurityLakeSourcesSecurityHub": {
"Type": "AWS::SecurityLake::AwsLogSource",
"Properties": {
"DataLakeArn": {
"Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
},
"SourceName": "SH_FINDINGS",
"SourceVersion": "2.0"
},
"DependsOn": "SecurityLakeSourcesRoute53"
},
"SecurityLakeSourcesVPCFlow": {
"Type": "AWS::SecurityLake::AwsLogSource",
"Properties": {
"DataLakeArn": {
"Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
},
"SourceName": "VPC_FLOW",
"SourceVersion": "2.0"
},
"DependsOn": "SecurityLakeSourcesSecurityHub"
},
"SecurityLakeSourcesCloudTrailMgmt": {
"Type": "AWS::SecurityLake::AwsLogSource",
"Properties": {
"DataLakeArn": {
"Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
},
"SourceName": "CLOUD_TRAIL_MGMT",
"SourceVersion": "2.0"
},
"DependsOn": "SecurityLakeSourcesVPCFlow"
},
"SecurityLakeSourcesLambdaExecution": {
"Type": "AWS::SecurityLake::AwsLogSource",
"Properties": {
"DataLakeArn": {
"Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
},
"SourceName": "LAMBDA_EXECUTION",
"SourceVersion": "2.0"
},
"DependsOn": "SecurityLakeSourcesCloudTrailMgmt"
},
"SecurityLakeSourcesS3": {
"Type": "AWS::SecurityLake::AwsLogSource",
"Properties": {
"DataLakeArn": {
"Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
},
"SourceName": "S3_DATA",
"SourceVersion": "2.0"
},
"DependsOn": "SecurityLakeSourcesLambdaExecution"
},
"SecurityLakeSourcesEKSAudit": {
"Type": "AWS::SecurityLake::AwsLogSource",
"Properties": {
"DataLakeArn": {
"Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
},
"SourceName": "EKS_AUDIT",
"SourceVersion": "2.0"
},
"DependsOn": "SecurityLakeSourcesS3"
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: Security Lake Already Deployed
Resources:
SecurityLakeSourcesRoute53:
Type: AWS::SecurityLake::AwsLogSource
Properties:
DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
SourceName: ROUTE53
SourceVersion: "2.0"
SecurityLakeSourcesSecurityHub:
Type: AWS::SecurityLake::AwsLogSource
Properties:
DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
SourceName: SH_FINDINGS
SourceVersion: "2.0"
DependsOn: SecurityLakeSourcesRoute53
SecurityLakeSourcesVPCFlow:
Type: AWS::SecurityLake::AwsLogSource
Properties:
DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
SourceName: VPC_FLOW
SourceVersion: "2.0"
DependsOn: SecurityLakeSourcesSecurityHub
SecurityLakeSourcesCloudTrailMgmt:
Type: AWS::SecurityLake::AwsLogSource
Properties:
DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
SourceName: CLOUD_TRAIL_MGMT
SourceVersion: "2.0"
DependsOn: SecurityLakeSourcesVPCFlow
SecurityLakeSourcesLambdaExecution:
Type: AWS::SecurityLake::AwsLogSource
Properties:
DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
SourceName: LAMBDA_EXECUTION
SourceVersion: "2.0"
DependsOn: SecurityLakeSourcesCloudTrailMgmt
SecurityLakeSourcesS3:
Type: AWS::SecurityLake::AwsLogSource
Properties:
DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
SourceName: S3_DATA
SourceVersion: "2.0"
DependsOn: SecurityLakeSourcesLambdaExecution
SecurityLakeSourcesEKSAudit:
Type: AWS::SecurityLake::AwsLogSource
Properties:
DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
SourceName: EKS_AUDIT
SourceVersion: "2.0"
DependsOn: SecurityLakeSourcesS3
```