AWS managed policies for Security Lake
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: AmazonSecurityLakeMetastoreManager
Amazon Security Lake uses an AWS Lambda function to manage metadata in your data lake. Through the use of this function, Security Lake can index Amazon Simple Storage Service (Amazon S3) partitions that contain your data and data files into the AWS Glue Data Catalog tables. This managed policy contains all of the permissions for the Lambda function to index the S3 partitions and data files into the AWS Glue tables.
Permissions details
This policy includes the following permissions:
logs
– Allows principals to log the output of the Lambda function to Amazon CloudWatch Logs.glue
– Allows principals to perform specific write actions for AWS Glue Data Catalog tables. This also allows AWS Glue crawlers to identify partitions in your data.sqs
– Allows principals to perform specific read and write actions for Amazon SQS queues that send event notifications when objects are added to or updated in your data lake.s3
– Allows principals to perform specific read and write actions for the Amazon S3 bucket that contains your data.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowWriteLambdaLogs", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*", "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowGlueManage", "Effect": "Allow", "Action": [ "glue:CreatePartition", "glue:BatchCreatePartition", "glue:GetTable", "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:catalog" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowToReadFromSqs", "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Resource": [ "arn:aws:sqs:*:*:AmazonSecurityLake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataReadWrite", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataCleanup", "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
AWS managed policy: AmazonSecurityLakePermissionsBoundary
Amazon Security Lake creates IAM roles for third-party custom sources to write data to the data lake and for third-party
custom subscribers to consume data from the data lake, and uses this policy when creating these roles to define the boundary of their permissions. You don't need to take action to
use this policy. If the data lake is encrypted with a customer managed AWS KMS key, kms:Decrypt
and kms:GenerateDataKey
permissions are added.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowActionsForSecurityLake", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation", "kms:Decrypt", "kms:GenerateDataKey", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" }, { "Sid": "DenyActionsForSecurityLake", "Effect": "Deny", "NotAction": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation", "kms:Decrypt", "kms:GenerateDataKey", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" }, { "Sid": "DenyActionsNotOnSecurityLakeBucket", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation" ], "NotResource": [ "arn:aws:s3:::aws-security-data-lake*" ] }, { "Sid": "DenyActionsNotOnSecurityLakeSQS", "Effect": "Deny", "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "NotResource": "arn:aws:sqs:*:*:AmazonSecurityLake*" }, { "Sid": "DenyActionsNotOnSecurityLakeKMSS3SQS", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringNotLike": { "kms:ViaService": [ "s3.*.amazonaws.com", "sqs.*.amazonaws.com" ] } } }, { "Sid": "DenyActionsNotOnSecurityLakeKMSForS3", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:s3:arn": "false" }, "StringNotLikeIfExists": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::aws-security-data-lake*" ] } } }, { "Sid": "DenyActionsNotOnSecurityLakeKMSForS3SQS", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:sqs:arn": "false" }, "StringNotLikeIfExists": { "kms:EncryptionContext:aws:sqs:arn": [ "arn:aws:sqs:*:*:AmazonSecurityLake*" ] } } } ] }
AWS managed policy: AmazonSecurityLakeAdministrator
You can attach the AmazonSecurityLakeAdministrator
policy to a principal
before they enable Amazon Security Lake for their account. This policy grants administrative permissions that allow a principal full access to all Security Lake actions. The principal can then onboard to Security Lake and subsequently configure sources and subscribers in Security Lake.
This policy includes the actions that Security Lake administrators can perform on other AWS services through Security Lake.
The AmazonSecurityLakeAdministrator
policy does not support the creation of
utility roles required by Security Lake to manage Amazon S3 cross-region replication,
registration of new data partitions in AWS Glue, run a Glue crawler on data added to
custom sources, or notify HTTPS endpoint subscribers of new data. You can create these roles
ahead of time as described in Getting started with Amazon Security Lake.
In addition to the AmazonSecurityLakeAdministrator
managed policy,
Security Lake requires lakeformation:PutDataLakeSettings
permissions for
onboarding and configuration functions. PutDataLakeSettings
allows setting
an IAM principal as an administrator for all regional Lake Formation resources in the account.
This role has to have iam:CreateRole permission
as well as
AmazonSecurityLakeAdministrator
policy attached to it.
Lake Formation administrators have full access to the Lake Formation console, and control the initial data
configuration and access permissions. Security Lake assigns the principal that enables Security Lake and
the AmazonSecurityLakeMetaStoreManager
role (or other specified role) as
Lake Formation administrators so that they can create tables, update table schema, register new
partitions, and configure permissions on tables. You must include the following
permissions in the policy for the Security Lake administrator user or role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutLakeFormationSettings", "Effect": "Allow", "Action": "lakeformation:PutDatalakeSettings", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } } ] }
Permissions details
This policy includes the following permissions.
-
securitylake
– Allows principals full access to all Security Lake actions. -
organizations
– Allows principals to retrieve information from AWS Organizations about the accounts in an organization. If an account belongs to an organization, then these permissions allow the Security Lake console to display account names and account numbers. -
iam
– Allows principals to create service-linked roles for Security Lake, AWS Lake Formation, and Amazon EventBridge, as a required step when enabling those services. Also allows for creation and editing of policies for subscriber and custom source roles, with permissions of those roles limited to what is allowed by theAmazonSecurityLakePermissionsBoundary
policy. -
ram
– Allows principals to configure Lake Formation-based query access by subscribers to Security Lake sources. -
s3
– Allows principals to create and manage Security Lake buckets, and read the contents of those buckets. -
lambda
– Allows principals to manage the Lambda used to update AWS Glue table partitions following AWS source delivery and cross-region replication. -
glue
– Allows principals to create and manage the Security Lake database and tables. -
lakeformation
– Allows principals to manage Lake Formation permissions for Security Lake tables. -
events
– Allows principals to manage rules used to notify subscribers of new data in Security Lake sources. -
sqs
– Allows principals to create and manage Amazon SQS queues used to notify subscribers of new data in Security Lake sources. -
kms
– Allows principals to grant access for Security Lake to write data using a customer-managed key. -
secretsmanager
– Allows principals to manage secrets used for notifying subscribers of new data in Security Lake sources via HTTPS endpoints.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowActionsWithAnyResource", "Effect": "Allow", "Action": [ "securitylake:*", "organizations:DescribeOrganization", "organizations:ListDelegatedServicesForAccount", "organizations:ListAccounts", "iam:ListRoles", "ram:GetResourceShareAssociations" ], "Resource": "*" }, { "Sid": "AllowActionsWithAnyResourceViaSecurityLake", "Effect": "Allow", "Action": [ "glue:CreateCrawler", "glue:StopCrawlerSchedule", "lambda:CreateEventSourceMapping", "lakeformation:GrantPermissions", "lakeformation:ListPermissions", "lakeformation:RegisterResource", "lakeformation:RevokePermissions", "lakeformation:GetDatalakeSettings", "events:ListConnections", "events:ListApiDestinations", "iam:GetRole", "iam:ListAttachedRolePolicies", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowManagingSecurityLakeS3Buckets", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketNotification", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutBucketVersioning", "s3:PutReplicationConfiguration", "s3:PutLifecycleConfiguration", "s3:ListBucket", "s3:PutObject", "s3:GetBucketNotification" ], "Resource": "arn:aws:s3:::aws-security-data-lake*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowLambdaCreateFunction", "Effect": "Allow", "Action": [ "lambda:CreateFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowLambdaAddPermission", "Effect": "Allow", "Action": [ "lambda:AddPermission" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" }, "StringEquals": { "lambda:Principal": "securitylake.amazonaws.com" } } }, { "Sid": "AllowGlueActions", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase", "glue:CreateTable", "glue:GetTable" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowEventBridgeActions", "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule", "events:CreateApiDestination", "events:CreateConnection", "events:UpdateConnection", "events:UpdateApiDestination", "events:DeleteConnection", "events:DeleteApiDestination", "events:ListTargetsByRule", "events:RemoveTargets", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/AmazonSecurityLake*", "arn:aws:events:*:*:rule/SecurityLake*", "arn:aws:events:*:*:api-destination/AmazonSecurityLake*", "arn:aws:events:*:*:connection/AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowSQSActions", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:GetQueueURL", "sqs:AddPermission", "sqs:GetQueueAttributes", "sqs:DeleteQueue" ], "Resource": [ "arn:aws:sqs:*:*:SecurityLake*", "arn:aws:sqs:*:*:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowKmsCmkGrantForSecurityLake", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" }, "StringLike": { "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::aws-security-data-lake*" }, "ForAllValues:StringEquals": { "kms:GrantOperations": [ "GenerateDataKey", "RetireGrant", "Decrypt" ] } } }, { "Sid": "AllowEnablingQueryBasedSubscribers", "Effect": "Allow", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "ram:ResourceArn": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*" ] }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowConfiguringQueryBasedSubscribers", "Effect": "Allow", "Action": [ "ram:UpdateResourceShare", "ram:GetResourceShares", "ram:DisassociateResourceShare", "ram:DeleteResourceShare" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": "LakeFormation*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowConfiguringCredentialsForSubscriberNotification", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/AmazonSecurityLake-*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForUpdatingGluePartitionsSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManager", "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManagerV2" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForUpdatingGluePartitionsLambdaArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManager", "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManagerV2" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ] }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForCrossRegionReplicationSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeS3ReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForCrossRegionReplicationS3Arn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeS3ReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:s3:::aws-security-data-lake*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForCustomSourceCrawlerSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeCustomDataGlueCrawler*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForCustomSourceCrawlerGlueArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeCustomDataGlueCrawler*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForSubscriberNotificationSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeSubscriberEventBridge", "Condition": { "StringEquals": { "iam:PassedToService": "events.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:subscriber/*" } } }, { "Sid": "AllowPassRoleForSubscriberNotificationEventsArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeSubscriberEventBridge", "Condition": { "StringEquals": { "iam:PassedToService": "events.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:events:*:*:rule/AmazonSecurityLake*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowOnboardingToSecurityLakeDependencies", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": [ "arn:aws:iam::*:role/aws-service-role/securitylake.amazonaws.com/AWSServiceRoleForSecurityLake", "arn:aws:iam::*:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess", "arn:aws:iam::*:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations" ], "Condition": { "StringLike": { "iam:AWSServiceName": [ "securitylake.amazonaws.com", "lakeformation.amazonaws.com", "apidestinations.events.amazonaws.com" ] } } }, { "Sid": "AllowRolePolicyActionsforSubscibersandSources", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::*:role/AmazonSecurityLake*", "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/AmazonSecurityLakePermissionsBoundary" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowRegisterS3LocationInLakeFormation", "Effect": "Allow", "Action": [ "iam:PutRolePolicy", "iam:GetRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowIAMActionsByResource", "Effect": "Allow", "Action": [ "iam:ListRolePolicies", "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/AmazonSecurityLake*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "S3ReadAccessToSecurityLakes", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::aws-security-data-lake-*" }, { "Sid": "S3ReadAccessToSecurityLakeMetastoreObject", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::security-lake-meta-store-manager-*" }, { "Sid": "S3ResourcelessReadOnly", "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock", "s3:ListAccessPoints", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }
AWS managed policy: SecurityLakeServiceLinkedRole
Security Lake uses the service-linked role named AWSServiceRoleForSecurityLake
to
create and operate the security data lake.
You can't attach the SecurityLakeServiceLinkedRole
managed policy to your IAM entities. This policy is
attached to a service-linked role that permits Security Lake to perform actions on your behalf. For more information, see
Service-linked role permissions for Security Lake.
AWS managed policy: SecurityLakeResourceManagementServiceRolePolicy
Security Lake uses the service-linked role named
AWSServiceRoleForSecurityLakeResourceManagement
to perform ongoing monitoring
and performance improvements, which can reduce latency and costs.
You can't attach the SecurityLakeResourceManagementServiceRolePolicy
managed
policy to your IAM entities. This policy is attached to a service-linked role that permits
Security Lake to perform actions on your behalf. For more information, see Service-linked role permissions for resource management.
AWS managed policy: AWSGlueServiceRole
The AWSGlueServiceRole
managed policy invokes the AWS Glue crawler and permits AWS Glue to crawl custom
source data and identify partition metadata. This metadata is necessary to create and update tables in the Data Catalog.
For more information, see Collecting data from custom sources in Security Lake.
Security Lake updates to AWS managed policies
View details about updates to AWS managed policies for Security Lake since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Security Lake Document history page.
Change | Description | Date |
---|---|---|
Service-linked role for Amazon Security Lake – New service-linked role |
We added a new service-linked role
|
November 14, 2024 |
Service-linked role for Amazon Security Lake – Update to existing service-linked role permissions |
We added AWS WAF actions to the AWS managed policy for the |
May 22, 2024 |
AmazonSecurityLakePermissionsBoundary – Update to an existing policy |
Security Lake added SID actions to the policy. |
May 13, 2024 |
AmazonSecurityLakeMetastoreManager – Update to an existing policy |
Security Lake updated the policy to add metadata clean up action which lets you delete the metadata in your data lake. |
March 27, 2024 |
AmazonSecurityLakeAdministrator – Update to an existing policy |
Security Lake updated the policy to allow
|
February 23, 2024 |
AmazonSecurityLakeMetastoreManager – New policy |
Security Lake added a new managed policy that grants permissions for Security Lake to manage metadata in your data lake. |
January 23, 2024 |
AmazonSecurityLakeAdministrator – New policy |
Security Lake added a new managed policy that grants a principal full access to all Security Lake actions. |
May 30, 2023 |
Security Lake started tracking changes |
Security Lake started tracking changes for its AWS managed policies. |
November 29, 2022 |