Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Security Lake and Amazon Organizations

Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. By integrating with Organizations, you can create a data lake that collects logs and events across your accounts. For more information see Managing multiple accounts with Amazon Organizations in the Amazon Security Lake user guide.

Use the following information to help you integrate Amazon Security Lake with Amazon Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you call the RegisterDataLakeDelegatedAdministrator API. This role allows Amazon Security Lake to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Amazon Security Lake and Organizations, or if you remove the member account from the organization.

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon Security Lake grant access to the following service principals:

Enabling trusted access with Amazon Security Lake

When you enable trusted access with Security Lake, Security Lake can react automatically to changes in the organization membership. The delegated administrator can enable Amazon logs collection from supported services in any organization account. For more information, see Service-linked role for Amazon Security Lake in the Amazon Security Lake user guide.

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

You can enable trusted access using only the Organizations tools.

You can enable trusted access by using either the Amazon Organizations console, by running a Amazon CLI command, or by calling an API operation in one of the Amazon SDKs.

Amazon Web Services Management Console

To enable trusted service access using the Organizations console

1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

2. In the navigation pane, choose Services.

3. Choose Amazon Security Lake in the list of services.

4. Choose Enable trusted access.

5. In the Enable trusted access for Amazon Security Lake dialog box, type enable to confirm it, and then choose Enable trusted access.

6. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon Security Lake that they can now enable that service using its console to work with Amazon Organizations.

Amazon CLI, Amazon API

To enable trusted service access using the OrganizationsCLI/SDK

You can use the following Amazon CLI commands or API operations to enable trusted service access:

• Amazon CLI: enable-aws-service-access

  You can run the following command to enable Amazon Security Lake as a trusted service with Organizations.

  $ aws organizations enable-aws-service-access \ 
      --service-principal securitylake.amazonaws.com

  This command produces no output when successful.

• Amazon API: EnableAWSServiceAccess

Disabling trusted access with Amazon Security Lake

Only an administrator in the Organizations management account can disable trusted access with Amazon Security Lake.

You can disable trusted access using only the Organizations tools.

You can disable trusted access by using either the Amazon Organizations console, by running an Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

Amazon Web Services Management Console

To disable trusted service access using the Organizations console

1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

2. In the navigation pane, choose Services.

3. Choose Amazon Security Lake in the list of services.

4. Choose Disable trusted access.

5. In the Disable trusted access for Amazon Security Lake dialog box, type disable to confirm it, and then choose Disable trusted access.

6. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon Security Lake that they can now disable that service using its console or tools from working with Amazon Organizations.

Amazon CLI, Amazon API

To disable trusted service access using the Organizations CLI/SDK

You can use the following Amazon CLI commands or API operations to disable trusted service access:

• Amazon CLI: disable-aws-service-access

  You can run the following command to disable Amazon Security Lake as a trusted service with Organizations.

  $ aws organizations disable-aws-service-access \
      --service-principal securitylake.amazonaws.com

  This command produces no output when successful.

• Amazon API: DisableAWSServiceAccess

Enabling a delegated administrator account for Amazon Security Lake

The Amazon Security Lake delegated administrator adds other accounts in the organization as member accounts. The delegated administrator can enable Amazon Security Lake and configure Amazon Security Lake settings for the member accounts. The delegated administrator can collect logs across an organization in all Amazon Regions where Amazon Security Lake is enabled (regardless of which Regional endpoint you're currently using).

You can also set up the delegated administrator to automatically add new accounts in the organization as members. The Amazon Security Lake delegated administrator has access to the logs and events in associated member accounts. Accordingly, you can set up Amazon Security Lake to collect data owned by associated member accounts. You can also grant subscribers permission to consume data owned by associated member accounts.

For more information see Managing multiple accounts with Amazon Organizations in the Amazon Security Lake user guide.

You can specify a delegated administrator account by using the Amazon Security Lake console, the Amazon Security Lake CreateDatalakeDelegatedAdmin API action, or the create-datalake-delegated-admin CLI command. Alternatively, you can use the Organizations RegisterDelegatedAdministrator CLI or SDK operation. For instructions about enabling a delegated administrator account for Amazon Security Lake, see Designating the delegated Security Lake administrator and adding member accounts in the Amazon Security Lake user guide.

Amazon CLI, Amazon API

If you want to configure a delegated administrator account using the Amazon CLI or one of the Amazon SDKs, you can use the following commands:

• Amazon CLI:

  $  aws organizations register-delegated-administrator \
      --account-id 123456789012 \ --service-principal securitylake.amazonaws.com

• Amazon SDK: Call the Organizations RegisterDelegatedAdministrator operation and the member account's ID number and identify the account service principal account.amazonaws.com as parameters.

Disabling a delegated administrator for Amazon Security Lake

Only an administrator in either the Organizations management account or the Amazon Security Lake delegated administrator account can remove a delegated administrator account from the organization.

You can remove the delegated administrator account by using the Amazon Security Lake DeleteDatalakeDelegatedAdmin API action, the delete-datalake-delegated-admin CLI command, or by using the Organizations DeregisterDelegatedAdministrator CLI or SDK operation. To remove a delegated administrator using Amazon Security Lake, see Removing the Amazon Security Lake delegated administrator in the Amazon Security Lake user guide.