AWS::SecurityLake::DataLake - AWS CloudFormation

AWS::SecurityLake::DataLake

Initializes an Amazon Security Lake instance with the provided (or default) configuration. You can enable Security Lake in AWS Regions with customized settings before enabling log collection in Regions. To specify particular Regions, configure these Regions using the configurations parameter. If you have already enabled Security Lake in a Region when you call this command, the command will update the Region if you provide new configuration parameters. If you have not already enabled Security Lake in the Region when you call this API, it will set up the data lake in the Region with the specified configurations.

When you enable Security Lake, it starts ingesting security data after the CreateAwsLogSource call. This includes ingesting security data from sources, storing data, and making data accessible to subscribers. Security Lake also enables all the existing settings and resources that it stores or maintains for your AWS account in the current Region, including security log and event data. For more information, see the Amazon Security Lake User Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SecurityLake::DataLake", "Properties" : { "EncryptionConfiguration" : EncryptionConfiguration, "LifecycleConfiguration" : LifecycleConfiguration, "MetaStoreManagerRoleArn" : String, "ReplicationConfiguration" : ReplicationConfiguration, "Tags" : [ Tag, ... ] } }

Properties

EncryptionConfiguration

Provides encryption details of the Amazon Security Lake object.

Required: No

Type: EncryptionConfiguration

Update requires: No interruption

LifecycleConfiguration

You can customize Security Lake to store data in your preferred AWS Regions for your preferred amount of time. Lifecycle management can help you comply with different compliance requirements. For more details, see Lifecycle management in the Amazon Security Lake User Guide.

Required: No

Type: LifecycleConfiguration

Update requires: No interruption

MetaStoreManagerRoleArn

The Amazon Resource Name (ARN) used to create and update the AWS Glue table. This table contains partitions generated by the ingestion and normalization of AWS log sources and custom sources.

Required: No

Type: String

Pattern: ^arn:.*$

Update requires: No interruption

ReplicationConfiguration

Provides replication details of Amazon Security Lake object.

Required: No

Type: ReplicationConfiguration

Update requires: No interruption

Tags

An array of objects, one for each tag to associate with the data lake configuration. For each tag, you must specify both a tag key and a tag value. A tag value cannot be null, but it can be an empty string.

Required: No

Type: Array of Tag

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic ref function, ref returns the DataLake name.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The Amazon Resource Name (ARN) of the data lake.

S3BucketArn

The Amazon Resource Name (ARN) of the Amazon S3 bucket.

Examples

Enable Security Lake in two accounts for three log sources

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources, this can be used as a rollup region.", "Parameters": { "RoleName": { "Type": "String", "Default": "Provide a name if Security Lake has not been enabled from console", "Description": "Prefix for role name with managed policy" }, "Account1": { "Type": "String", "Default": "Enter an account for Security Lake to enable log sources", "Description": "Account number to enable logs" }, "Account2": { "Type": "String", "Default": "Enter another account for Security Lake to enable log sources", "Description": "Account number n to enable logs" } }, "Resources": { "AmazonSecurityLakeMetaStoreManagerRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${RoleName}-SecurityLakeMetasStoreManager" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager" ] } }, "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS and two sources, this can be used as a rollup region. Parameters: RoleName: Type: String Default: Provide a name if Security Lake has not been enabled from console Description: Prefix for role name with managed policy Account1: Type: String Default: Enter an account for Security Lake to enable log sources Description: Account number to enable logs Account2: Type: String Default: Enter another account for Security Lake to enable log sources Description: Account number n to enable logs Resources: AmazonSecurityLakeMetaStoreManagerRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: ${RoleName}-SecurityLakeMetasStoreManager AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: "2.0" DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: "2.0" DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: "2.0" DependsOn: SecurityLakeSourcesSecurityHub

Enable Security Lake in all accounts for three log sources

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources. This can be used as a centralized Region.", "Parameters": { "RoleName": { "Type": "String", "Default": "Provide a name if Security Lake has not been enabled from console", "Description": "Prefix for role name with managed policy" }, }, "Resources": { "AmazonSecurityLakeMetaStoreManagerRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${RoleName}-SecurityLakeMetasStoreManager" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager" ] } }, "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS on three sources and all accounts. This can be used as a centralized Region. Parameters: RoleName: Type: String Default: Provide a name if Security Lake has not been enabled from console Description: Prefix for role name with managed policy Resources: AmazonSecurityLakeMetaStoreManagerRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: ${RoleName}-SecurityLakeMetasStoreManager AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: "2.0" DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: "2.0" DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: "2.0" DependsOn: SecurityLakeSourcesSecurityHub

Deploys a contributing Security Lake Region

Enables Security lake in two accounts for three logs sources as a contributing Region.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources, replicates to one region.", "Parameters": { "Account1": { "Type": "String", "Default": "Enter an account for Security Lake to enable log sources", "Description": "Account number to enable logs" }, "Account2": { "Type": "String", "Default": "Enter another account for Security Lake to enable log sources", "Description": "Account number n to enable logs" }, "ReplicationRegionDestination": { "Type": "String", "Default": "Enter destination region", "Description": "Centralized destination region" }, "MetaStoreRoleArn": { "Type": "String", "Default": "Security Lake Metastore Manager Role", "Description": "arn for AWS Security Lake Metastore Manager Role" }, "ReplicationRoleArn": { "Type": "String", "Default": "Replication Role ARN", "Description": "Replication role arn that supports rollup to destination region" } }, "Resources": { "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Ref": "MetaStoreRoleArn" }, "ReplicationConfiguration": { "Regions": [ { "Ref": "ReplicationRegionDestination" } ], "RoleArn": "arn:aws:iam::123456789123:role/SecurityLake-Replication-Role" } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS and two sources, replicates to one region. Parameters: Account1: Type: String Default: Enter an account for Security Lake to enable log sources Description: Account number to enable logs Account2: Type: String Default: Enter another account for Security Lake to enable log sources Description: Account number n to enable logs ReplicationRegionDestination: Type: String Default: Enter destination region Description: Centralized destination region MetaStoreRoleArn: Type: String Default: Security Lake Metastore Manager Role Description: arn for AWS Security Lake Metastore Manager Role ReplicationRoleArn: Type: String Default: Replication Role ARN Description: Replication role arn that supports rollup to destination region Resources: SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Ref: MetaStoreRoleArn ReplicationConfiguration: Regions: - Ref: ReplicationRegionDestination RoleArn: arn:aws:iam::123456789123:role/SecurityLake-Replication-Role SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: "2.0" DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: "2.0" DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: "2.0" DependsOn: SecurityLakeSourcesSecurityHub

Configure with KMS

For each Region add the encryption configuration parameter and assign respective KMS ARN for your Region.

JSON

{ "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] }, "EncryptionConfiguration": { "KmsKeyId": { "Ref": "KmsArn" } } } } }

YAML

SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn EncryptionConfiguration: KmsKeyId: Ref: KmsArn