Service-linked role permissions for Security Lake
Security Lake uses the service-linked role named
AWSServiceRoleForSecurityLake. This service-linked role trusts the
securitylake.amazonaws.com service to assume the role. For more
information about, AWS managed policies for Amazon Security Lake, see AWS manage policies for Amazon Security Lake.
The permissions policy for the role, which is an AWS managed policy named SecurityLakeServiceLinkedRole, allows Security Lake to create and operate
the security data lake. It also allows Security Lake to perform tasks such as the following on the specified resources:
-
Use AWS Organizations actions to retrieve information about associated accounts
-
Use Amazon Elastic Compute Cloud (Amazon EC2) to retrieve information about Amazon VPC Flow Logs
-
Use AWS CloudTrail actions to retrieve information about the service-linked role
-
Use AWS WAF actions to collect AWS WAF logs, when it is enabled as a log source in Security Lake
-
Use
LogDeliveryaction to create or delete an AWS WAF log delivery subscription.
The role is configured with the following permissions policy:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "OrganizationsPolicies", "Effect": "Allow", "Action": [ "organizations:ListAccounts", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Sid": "DescribeOrgAccounts", "Effect": "Allow", "Action": [ "organizations:DescribeAccount" ], "Resource": [ "arn:aws:organizations::*:account/o-*/*" ] }, { "Sid": "AllowManagementOfServiceLinkedChannel", "Effect": "Allow", "Action": [ "cloudtrail:CreateServiceLinkedChannel", "cloudtrail:DeleteServiceLinkedChannel", "cloudtrail:GetServiceLinkedChannel", "cloudtrail:UpdateServiceLinkedChannel" ], "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/security-lake/*" }, { "Sid": "AllowListServiceLinkedChannel", "Effect": "Allow", "Action": [ "cloudtrail:ListServiceLinkedChannels" ], "Resource": "*" }, { "Sid": "DescribeAnyVpc", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs" ], "Resource": "*" }, { "Sid": "ListDelegatedAdmins", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securitylake.amazonaws.com" } } }, { "Sid": "AllowWafLoggingConfiguration", "Effect": "Allow", "Action": [ "wafv2:PutLoggingConfiguration", "wafv2:GetLoggingConfiguration", "wafv2:ListLoggingConfigurations", "wafv2:DeleteLoggingConfiguration" ], "Resource": "*", "Condition": { "StringEquals": { "wafv2:LogScope": "SecurityLake" } } }, { "Sid": "AllowPutLoggingConfiguration", "Effect": "Allow", "Action": [ "wafv2:PutLoggingConfiguration" ], "Resource": "*", "Condition": { "ArnLike": { "wafv2:LogDestinationResource": "arn:aws:s3:::aws-waf-logs-security-lake-*" } } }, { "Sid": "ListWebACLs", "Effect": "Allow", "Action": [ "wafv2:ListWebACLs" ], "Resource": "*" }, { "Sid": "LogDelivery", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:DeleteLogDelivery" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "wafv2.amazonaws.com" ] } } } ] }
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.
Creating the Security Lake service-linked role
You don't need to manually create the AWSServiceRoleForSecurityLake
service-linked role for Security Lake. When you enable Security Lake for your AWS account, Security Lake
automatically creates the service-linked role for you.
Editing the Security Lake service-linked role
Security Lake doesn't allow you to edit the AWSServiceRoleForSecurityLake
service-linked role. After a service-linked role is created, you can't change the name
of the role because various entities might reference the role. However, you can edit the
description of the role using IAM. For more information, see Editing a service-linked role in the
IAM User Guide.
Deleting the Security Lake service-linked role
You cannot delete the service-linked role from Security Lake. Instead, you may delete the service-linked role from the IAM console, API, or AWS CLI. For more information, see Deleting a service-linked role in the IAM User Guide.
Before you can delete the service-linked role, you must first confirm that the role has no active sessions and remove any
resources that AWSServiceRoleForSecurityLake is using.
Note
If Security Lake is using the AWSServiceRoleForSecurityLake role when you try to
delete the resources, the deletion might fail. If that happens, wait a few minutes
and then try the operation again.
If you delete the AWSServiceRoleForSecurityLake service-linked role and need to
create it again, you can create it again by enabling Security Lake for your account. When you
enable Security Lake again, Security Lake automatically creates the service-linked role again for you.
Supported AWS Regions for the Security Lake service-linked role
Security Lake supports using the AWSServiceRoleForSecurityLake service-linked role
in all the AWS Regions where Security Lake is available. For a list of Regions where Security Lake is
currently available, see Security Lake Regions and endpoints.
