AWS 文档 AWS SDK示例 GitHub 存储库中还有更多SDK示例
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用安全湖的示例 AWS CLI
以下代码示例向您展示了如何使用 with Security Lake 来执行操作和实现常见场景。 AWS Command Line Interface
操作是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景的上下文查看操作。
每个示例都包含一个指向完整源代码的链接,您可以在其中找到有关如何在上下文中设置和运行代码的说明。
主题
操作
以下代码示例演示如何使用 create-aws-logsource。
- AWS CLI
-
将原生支持的亚马逊网络服务添加为 Amazon Security Lake 来源
以下
create-aws-logsource示例将VPC流日志添加为指定账户和区域中的 Security Lake 来源。aws securitylake create-aws-log-source \ --sources '[{"regions": ["us-east-1"], "accounts": ["123456789012"], "sourceName": "SH_FINDINGS", "sourceVersion": "2.0"}]'输出:
{ "failed": [ "123456789012" ] }有关更多信息,请参阅 Amazon S AWS ecurity Lake 用户指南中的添加服务作为来源。
-
有关API详细信息,请参阅 “CreateAwsLogsource AWS CLI
命令参考”。
-
以下代码示例演示如何使用 create-custom-logsource。
- AWS CLI
-
将自定义来源添加为 Amazon Security Lake 来源
以下
create-custom-logsource示例在指定的日志提供商账户和指定区域中添加自定义源作为 Security Lake 源。aws securitylake create-custom-log-source \ --source-name"VPC_FLOW"\ --event-classes '["DNS_ACTIVITY", "NETWORK_ACTIVITY"]' \ --configuration '{"crawlerConfiguration": {"roleArn": "arn:aws:glue:eu-west-2:123456789012:crawler/E1WG1ZNPRXT0D4"},"providerIdentity": {"principal": "029189416600","externalId": "123456789012"}}' --region"us-east-1"输出:
{ "customLogSource": { "attributes": { "crawlerArn": "arn:aws:glue:eu-west-2:123456789012:crawler/E1WG1ZNPRXT0D4", "databaseArn": "arn:aws:glue:eu-west-2:123456789012:database/E1WG1ZNPRXT0D4", "tableArn": "arn:aws:glue:eu-west-2:123456789012:table/E1WG1ZNPRXT0D4" }, "provider": { "location": "DOC-EXAMPLE-BUCKET--usw2-az1--x-s3", "roleArn": "arn:aws:iam::123456789012:role/AmazonSecurityLake-Provider-testCustom2-eu-west-2" }, "sourceName": "testCustom2" "sourceVersion": "2.0" } }有关更多信息,请参阅 Amazon Security Lake 用户指南中的添加自定义来源。
-
有关API详细信息,请参阅 “CreateCustomLogsource AWS CLI
命令参考”。
-
以下代码示例演示如何使用 create-data-lake-exception-subscription。
- AWS CLI
-
发送安全湖异常通知
以下
create-data-lake-exception-subscription示例通过SMS交付向指定账户发送有关 Security Lake 异常的通知。异常消息将在指定的时间段内保留。aws securitylake create-data-lake-exception-subscription \ --notification-endpoint"123456789012"\ --exception-time-to-live30\ --subscription-protocol"sms"此命令不生成任何输出。
有关更多信息,请参阅《亚马逊安全湖用户指南》中的亚马逊安全湖疑难解答。
-
有关API详细信息,请参阅 “CreateDataLakeExceptionSubscription AWS CLI
命令参考”。
-
以下代码示例演示如何使用 create-data-lake-organization-configuration。
- AWS CLI
-
在新组织账户中配置 Security Lake
以下
create-data-lake-organization-configuration示例启用 Security Lake 以及新组织账户中指定的源事件和日志的收集。aws securitylake create-data-lake-organization-configuration \ --auto-enable-new-account '[{"region":"us-east-1","sources":[{"sourceName":"SH_FINDINGS","sourceVersion": "1.0"}]}]'此命令不生成任何输出。
有关更多信息,请参阅 Amazon Security Lake 用户 AWS 指南中的使用 Organizations 管理多个账户。
-
有关API详细信息,请参阅 “CreateDataLakeOrganizationConfiguration AWS CLI
命令参考”。
-
以下代码示例演示如何使用 create-data-lake。
- AWS CLI
-
示例 1:在多个区域配置数据湖
以下
create-data-lake示例在多个 AWS 区域启用 Amazon 安全湖并配置您的数据湖。aws securitylake create-data-lake \ --configurations '[{"encryptionConfiguration": {"kmsKeyId":"S3_MANAGED_KEY"},"region":"us-east-1","lifecycleConfiguration": {"expiration":{"days":365},"transitions":[{"days":60,"storageClass":"ONEZONE_IA"}]}}, {"encryptionConfiguration": {"kmsKeyId":"S3_MANAGED_KEY"},"region":"us-east-2","lifecycleConfiguration": {"expiration":{"days":365},"transitions":[{"days":60,"storageClass":"ONEZONE_IA"}]}}]' \ --meta-store-manager-role-arn"arn:aws:iam:us-east-1:123456789012:role/service-role/AmazonSecurityLakeMetaStoreManager"输出:
{ "dataLakes": [ { "createStatus": "COMPLETED", "dataLakeArn": "arn:aws:securitylake:us-east-1:522481757177:data-lake/default", "encryptionConfiguration": { "kmsKeyId": "S3_MANAGED_KEY" }, "lifecycleConfiguration": { "expiration": { "days": 365 }, "transitions": [ { "days": 60, "storageClass": "ONEZONE_IA" } ] }, "region": "us-east-1", "replicationConfiguration": { "regions": [ "ap-northeast-3" ], "roleArn": "arn:aws:securitylake:ap-northeast-3:522481757177:data-lake/default" }, "s3BucketArn": "arn:aws:s3:::aws-security-data-lake-us-east-1-gnevt6s8z7bzby8oi3uiaysbr8v2ml", "updateStatus": { "exception": {}, "requestId": "f20a6450-d24a-4f87-a6be-1d4c075a59c2", "status": "INITIALIZED" } }, { "createStatus": "COMPLETED", "dataLakeArn": "arn:aws:securitylake:us-east-2:522481757177:data-lake/default", "encryptionConfiguration": { "kmsKeyId": "S3_MANAGED_KEY" }, "lifecycleConfiguration": { "expiration": { "days": 365 }, "transitions": [ { "days": 60, "storageClass": "ONEZONE_IA" } ] }, "region": "us-east-2", "replicationConfiguration": { "regions": [ "ap-northeast-3" ], "roleArn": "arn:aws:securitylake:ap-northeast-3:522481757177:data-lake/default" }, "s3BucketArn": "arn:aws:s3:::aws-security-data-lake-us-east-2-cehuifzl5rwmhm6m62h7zhvtseogr9", "updateStatus": { "exception": {}, "requestId": "f20a6450-d24a-4f87-a6be-1d4c075a59c2", "status": "INITIALIZED" } } ] }有关更多信息,请参阅亚马逊安全湖用户指南中的亚马逊安全湖入门。
示例 2:在单个区域中配置数据湖
以下
create-data-lake示例在单个 AWS 区域中启用 Amazon 安全湖并配置您的数据湖。aws securitylake create-data-lake \ --configurations '[{"encryptionConfiguration": {"kmsKeyId":"1234abcd-12ab-34cd-56ef-1234567890ab"},"region":"us-east-2","lifecycleConfiguration": {"expiration":{"days":500},"transitions":[{"days":30,"storageClass":"GLACIER"}]}}]' \ --meta-store-manager-role-arn"arn:aws:iam:us-east-1:123456789012:role/service-role/AmazonSecurityLakeMetaStoreManager"输出:
{ "dataLakes": [ { "createStatus": "COMPLETED", "dataLakeArn": "arn:aws:securitylake:us-east-2:522481757177:data-lake/default", "encryptionConfiguration": { "kmsKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "lifecycleConfiguration": { "expiration": { "days": 500 }, "transitions": [ { "days": 30, "storageClass": "GLACIER" } ] }, "region": "us-east-2", "replicationConfiguration": { "regions": [ "ap-northeast-3" ], "roleArn": "arn:aws:securitylake:ap-northeast-3:522481757177:data-lake/default" }, "s3BucketArn": "arn:aws:s3:::aws-security-data-lake-us-east-2-cehuifzl5rwmhm6m62h7zhvtseogr9", "updateStatus": { "exception": {}, "requestId": "77702a53-dcbf-493e-b8ef-518e362f3003", "status": "INITIALIZED" } } ] }有关更多信息,请参阅亚马逊安全湖用户指南中的亚马逊安全湖入门。
-
有关API详细信息,请参阅 “CreateDataLake AWS CLI
命令参考”。
-
以下代码示例演示如何使用 create-subscriber-data-access。
- AWS CLI
-
创建具有数据访问权限的订阅者
以下
create-subscriber示例在 Security Lake 中创建一个订阅者,该订阅者可以访问当前 AWS 区域中与 AWS 来源的指定订阅者身份相关的数据。aws securitylake create-subscriber \ --access-types"S3"\ --sources '[{"awsLogSource": {"sourceName": "VPC_FLOW","sourceVersion": "2.0"}}]' \ --subscriber-name"opensearch-s3"\ --subscriber-identity '{"principal": "029189416600","externalId": "123456789012"}'输出:
{ "subscriber": { "accessTypes": [ "S3" ], "createdAt": "2024-07-17T19:08:26.787000+00:00", "roleArn": "arn:aws:iam::773172568199:role/AmazonSecurityLake-896f218b-cfba-40be-a255-8b49a65d0407", "s3BucketArn": "arn:aws:s3:::aws-security-data-lake-us-east-1-um632ufwpvxkyz0bc5hkb64atycnf3", "sources": [ { "awsLogSource": { "sourceName": "VPC_FLOW", "sourceVersion": "2.0" } } ], "subscriberArn": "arn:aws:securitylake:us-east-1:773172568199:subscriber/896f218b-cfba-40be-a255-8b49a65d0407", "subscriberId": "896f218b-cfba-40be-a255-8b49a65d0407", "subscriberIdentity": { "externalId": "123456789012", "principal": "029189416600" }, "subscriberName": "opensearch-s3", "subscriberStatus": "ACTIVE", "updatedAt": "2024-07-17T19:08:27.133000+00:00" } }有关更多信息,请参阅 Amazon Security Lake 用户指南中的创建具有数据访问权限的订阅者。
-
有关API详细信息,请参阅 “CreateSubscriberDataAccess AWS CLI
命令参考”。
-
以下代码示例演示如何使用 create-subscriber-notification。
- AWS CLI
-
创建订阅者通知
以下
create-subscriber-notification示例说明如何指定订阅者通知,以便在向数据湖写入新数据时创建通知。aws securitylake create-subscriber-notification \ --subscriber-id"12345ab8-1a34-1c34-1bd4-12345ab9012"\ --configuration '{"httpsNotificationConfiguration": {"targetRoleArn":"arn:aws:iam::XXX:role/service-role/RoleName", "endpoint":"https://account-management.$3.$2.securitylake.aws.dev/v1/datalake"}}'输出:
{ "subscriberEndpoint": [ "https://account-management.$3.$2.securitylake.aws.dev/v1/datalake" ] }有关更多信息,请参阅 Amazon Security Lake 用户指南中的订阅者管理。
-
有关API详细信息,请参阅 “CreateSubscriberNotification AWS CLI
命令参考”。
-
以下代码示例演示如何使用 create-subscriber-query-access。
- AWS CLI
-
创建具有查询权限的订阅者
以下
create-subscriber示例在 Security Lake 中创建一个订阅者,该订阅者在当前 AWS 区域内具有指定订阅者身份的查询权限。aws securitylake create-subscriber \ --access-types"LAKEFORMATION"\ --sources '[{"awsLogSource": {"sourceName": "VPC_FLOW","sourceVersion": "2.0"}}]' \ --subscriber-name"opensearch-s3"\ --subscriber-identity '{"principal": "029189416600","externalId": "123456789012"}'输出:
{ "subscriber": { "accessTypes": [ "LAKEFORMATION" ], "createdAt": "2024-07-18T01:05:55.853000+00:00", "resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/8c31da49-c224-4f1e-bb12-37ab756d6d8a", "resourceShareName": "LakeFormation-V2-NAMENAMENA-123456789012", "sources": [ { "awsLogSource": { "sourceName": "VPC_FLOW", "sourceVersion": "2.0" } } ], "subscriberArn": "arn:aws:securitylake:us-east-1:123456789012:subscriber/e762aabb-ce3d-4585-beab-63474597845d", "subscriberId": "e762aabb-ce3d-4585-beab-63474597845d", "subscriberIdentity": { "externalId": "123456789012", "principal": "029189416600" }, "subscriberName": "opensearch-s3", "subscriberStatus": "ACTIVE", "updatedAt": "2024-07-18T01:05:58.393000+00:00" } }有关更多信息,请参阅 Amazon Security Lake 用户指南中的创建具有查询权限的订阅者。
-
有关API详细信息,请参阅 “CreateSubscriberQueryAccess AWS CLI
命令参考”。
-
以下代码示例演示如何使用 delete-aws-logsource。
- AWS CLI
-
删除原生支持的服务 AWS 。
以下
delete-aws-logsource示例删除了指定账户和区域中作为 Security Lake 来源的VPC流日志。aws securitylake delete-aws-log-source \ --sources '[{"regions": ["us-east-1"], "accounts": ["123456789012"], "sourceName": "SH_FINDINGS", "sourceVersion": "2.0"}]'输出:
{ "failed": [ "123456789012" ] }有关更多信息,请参阅 Amazon S AWS ecurity Lake 用户指南中的移除服务作为来源。
-
有关API详细信息,请参阅 “DeleteAwsLogsource AWS CLI
命令参考”。
-
以下代码示例演示如何使用 delete-custom-logsource。
- AWS CLI
-
移除自定义来源。
以下
delete-custom-logsource示例删除指定区域中指定日志提供者账户中的自定义来源。aws securitylake delete-custom-log-source \ --source-name"CustomSourceName"此命令不生成任何输出。
有关更多信息,请参阅《Amazon Security Lake 用户指南》中的删除自定义来源。
-
有关API详细信息,请参阅 “DeleteCustomLogsource AWS CLI
命令参考”。
-
以下代码示例演示如何使用 delete-data-lake-organization-configuration。
- AWS CLI
-
停止在成员账户中自动收集来源
以下
delete-data-lake-organization-configuration示例停止从加入组织的新成员账户自动收集 Sec AWS urity Hub 调查结果。只有委派的 Security Lake 管理员才能运行此命令。它可以防止新成员账户自动向数据湖提供数据。aws securitylake delete-data-lake-organization-configuration \ --auto-enable-new-account '[{"region":"us-east-1","sources":[{"sourceName":"SH_FINDINGS"}]}]'此命令不生成任何输出。
有关更多信息,请参阅 Amazon Security Lake 用户 AWS 指南中的使用 Organizations 管理多个账户。
-
有关API详细信息,请参阅 “DeleteDataLakeOrganizationConfiguration AWS CLI
命令参考”。
-
以下代码示例演示如何使用 delete-data-lake。
- AWS CLI
-
禁用您的数据湖
以下
delete-data-lake示例在指定 AWS 区域禁用您的数据湖。在指定的区域中,源不再向数据湖提供数据。对于使用 AWS Organizations 的 Security Lake 部署,只有为该组织委派的 Security Lake 管理员才能为组织中的账户禁用安全湖。aws securitylake delete-data-lake \ --regions"ap-northeast-1""eu-central-1"此命令不生成任何输出。
有关更多信息,请参阅《亚马逊安全湖用户指南》中的禁用亚马逊安全湖。
-
有关API详细信息,请参阅 “DeleteDataLake AWS CLI
命令参考”。
-
以下代码示例演示如何使用 delete-subscriber-notification。
- AWS CLI
-
删除订阅者通知
以下
delete-subscriber-notification示例说明如何删除特定 Security Lake 订阅者的订阅者通知。aws securitylake delete-subscriber-notification \ --subscriber-id"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"此命令不生成任何输出。
有关更多信息,请参阅 Amazon Security Lake 用户指南中的订阅者管理。
-
有关API详细信息,请参阅 “DeleteSubscriberNotification AWS CLI
命令参考”。
-
以下代码示例演示如何使用 delete-subscriber。
- AWS CLI
-
删除订阅者
以下
delete-subscriber示例说明如果您不再希望订阅者使用来自 Security Lake 的数据,如何删除订阅者。aws securitylake delete-subscriber \ --subscriber-id"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"此命令不生成任何输出。
有关更多信息,请参阅 Amazon Security Lake 用户指南中的订阅者管理。
-
有关API详细信息,请参阅 “DeleteSubscriber AWS CLI
命令参考”。
-
以下代码示例演示如何使用 get-data-lake-exception-subscription。
- AWS CLI
-
获取有关例外订阅的详细信息
以下
get-data-lake-exception-subscription示例提供了有关 Security Lake 异常订阅的详细信息。在此示例中,指定 AWS 账户的用户会通过SMS传送收到错误通知。异常消息将在指定的时间段内保留在账户中。异常订阅通过请求者的首选协议向 Security Lake 用户通报错误。aws securitylake get-data-lake-exception-subscription输出:
{ "exceptionTimeToLive": 30, "notificationEndpoint": "123456789012", "subscriptionProtocol": "sms" }有关更多信息,请参阅 Amazon Security Lake 用户指南中的数据湖状态故障排除。
-
有关API详细信息,请参阅 “GetDataLakeExceptionSubscription AWS CLI
命令参考”。
-
以下代码示例演示如何使用 get-data-lake-organization-configuration。
- AWS CLI
-
获取有关新组织账户配置的详细信息
以下
get-data-lake-organization-configuration示例检索有关新组织账户在加入 Amazon Security Lake 后将发送的源日志的详细信息。aws securitylake get-data-lake-organization-configuration输出:
{ "autoEnableNewAccount": [ { "region": "us-east-1", "sources": [ { "sourceName": "VPC_FLOW", "sourceVersion": "1.0" }, { "sourceName": "ROUTE53", "sourceVersion": "1.0" }, { "sourceName": "SH_FINDINGS", "sourceVersion": "1.0" } ] } ] }有关更多信息,请参阅 Amazon Security Lake 用户 AWS 指南中的使用 Organizations 管理多个账户。
-
有关API详细信息,请参阅 “GetDataLakeOrganizationConfiguration AWS CLI
命令参考”。
-
以下代码示例演示如何使用 get-data-lake-sources。
- AWS CLI
-
获取日志收集的状态
以下
get-data-lake-sources示例获取当前 AWS 区域中指定账户的日志收集快照。该账户已启用亚马逊安全湖。aws securitylake get-data-lake-sources \ --accounts"123456789012"输出:
{ "dataLakeSources": [ { "account": "123456789012", "sourceName": "SH_FINDINGS", "sourceStatuses": [ { "resource": "vpc-1234567890abcdef0", "status": "COLLECTING" } ] }, { "account": "123456789012", "sourceName": "VPC_FLOW", "sourceStatuses": [ { "resource": "vpc-1234567890abcdef0", "status": "NOT_COLLECTING" } ] }, { "account": "123456789012", "sourceName": "LAMBDA_EXECUTION", "sourceStatuses": [ { "resource": "vpc-1234567890abcdef0", "status": "COLLECTING" } ] }, { "account": "123456789012", "sourceName": "ROUTE53", "sourceStatuses": [ { "resource": "vpc-1234567890abcdef0", "status": "COLLECTING" } ] }, { "account": "123456789012", "sourceName": "CLOUD_TRAIL_MGMT", "sourceStatuses": [ { "resource": "vpc-1234567890abcdef0", "status": "COLLECTING" } ] } ], "dataLakeArn": null }有关更多信息,请参阅 Amazon Security Lake 用户指南中的从 AWS 服务收集数据。
-
有关API详细信息,请参阅 “GetDataLakeSources AWS CLI
命令参考”。
-
以下代码示例演示如何使用 get-subscriber。
- AWS CLI
-
检索订阅信息
以下
get-subscriber示例检索指定 Securiy Lake 订阅者的订阅信息。aws securitylake get-subscriber \ --subscriber-ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111输出:
{ "subscriber": { "accessTypes": [ "LAKEFORMATION" ], "createdAt": "2024-04-19T15:19:44.421803+00:00", "resourceShareArn": "arn:aws:ram:eu-west-2:123456789012:resource-share/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "resourceShareName": "LakeFormation-V3-TKJGBHCKTZ-123456789012", "sources": [ { "awsLogSource": { "sourceName": "LAMBDA_EXECUTION", "sourceVersion": "1.0" } }, { "awsLogSource": { "sourceName": "EKS_AUDIT", "sourceVersion": "2.0" } }, { "awsLogSource": { "sourceName": "ROUTE53", "sourceVersion": "1.0" } }, { "awsLogSource": { "sourceName": "SH_FINDINGS", "sourceVersion": "1.0" } }, { "awsLogSource": { "sourceName": "VPC_FLOW", "sourceVersion": "1.0" } }, { "customLogSource": { "attributes": { "crawlerArn": "arn:aws:glue:eu-west-2:123456789012:crawler/testCustom2", "databaseArn": "arn:aws:glue:eu-west-2:123456789012:database/amazon_security_lake_glue_db_eu_west_2", "tableArn": "arn:aws:glue:eu-west-2:123456789012:table/amazon_security_lake_table_eu_west_2_ext_testcustom2" }, "provider": { "location": "s3://aws-security-data-lake-eu-west-2-8ugsus4ztnsfpjbldwbgf4vge98av9/ext/testCustom2/", "roleArn": "arn:aws:iam::123456789012:role/AmazonSecurityLake-Provider-testCustom2-eu-west-2" }, "sourceName": "testCustom2" } }, { "customLogSource": { "attributes": { "crawlerArn": "arn:aws:glue:eu-west-2:123456789012:crawler/TestCustom", "databaseArn": "arn:aws:glue:eu-west-2:123456789012:database/amazon_security_lake_glue_db_eu_west_2", "tableArn": "arn:aws:glue:eu-west-2:123456789012:table/amazon_security_lake_table_eu_west_2_ext_testcustom" }, "provider": { "location": "s3://aws-security-data-lake-eu-west-2-8ugsus4ztnsfpjbldwbgf4vge98av9/ext/TestCustom/", "roleArn": "arn:aws:iam::123456789012:role/AmazonSecurityLake-Provider-TestCustom-eu-west-2" }, "sourceName": "TestCustom" } } ], "subscriberArn": "arn:aws:securitylake:eu-west-2:123456789012:subscriber/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "subscriberId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "subscriberIdentity": { "externalId": "123456789012", "principal": "123456789012" }, "subscriberName": "test", "subscriberStatus": "ACTIVE", "updatedAt": "2024-04-19T15:19:55.230588+00:00" } }有关更多信息,请参阅 Amazon Security Lake 用户指南中的订阅者管理。
-
有关API详细信息,请参阅 “GetSubscriber AWS CLI
命令参考”。
-
以下代码示例演示如何使用 list-data-lake-exceptions。
- AWS CLI
-
列出影响您的数据湖的问题
以下
list-data-lake-exceptions示例列出了在过去 14 天内在指定 AWS 区域中影响您的数据湖的问题。aws securitylake list-data-lake-exceptions \ --regions"us-east-1""eu-west-3"输出:
{ "exceptions": [ { "exception": "The account does not have the required role permissions. Update your role permissions to use the new data source version.", "region": "us-east-1", "timestamp": "2024-02-29T12:24:15.641725+00:00" }, { "exception": "The account does not have the required role permissions. Update your role permissions to use the new data source version.", "region": "eu-west-3", "timestamp": "2024-02-29T12:24:15.641725+00:00" } ] }有关更多信息,请参阅《亚马逊安全湖用户指南》中的亚马逊安全湖疑难解答。
-
有关API详细信息,请参阅 “ListDataLakeExceptions AWS CLI
命令参考”。
-
以下代码示例演示如何使用 list-data-lakes。
- AWS CLI
-
列出 Security Lake 配置对象
以下
list-data-lakes示例列出了指定 AWS 区域的 Amazon 安全湖配置对象。您可以使用此命令来确定是否在指定的区域或区域中启用了安全湖。aws securitylake list-data-lakes \ --regions"us-east-1"输出:
{ "dataLakes": [ { "createStatus": "COMPLETED", "dataLakeArn": "arn:aws:securitylake:us-east-1:123456789012:data-lake/default", "encryptionConfiguration": { "kmsKeyId": "S3_MANAGED_KEY" }, "lifecycleConfiguration": { "expiration": { "days": 365 }, "transitions": [ { "days": 60, "storageClass": "ONEZONE_IA" } ] }, "region": "us-east-1", "replicationConfiguration": { "regions": [ "ap-northeast-3" ], "roleArn": "arn:aws:securitylake:ap-northeast-3:123456789012:data-lake/default" }, "s3BucketArn": "arn:aws:s3:::aws-security-data-lake-us-east-1-1234567890abcdef0", "updateStatus": { "exception": { "code": "software.amazon.awssdk.services.s3.model.S3Exception", "reason": "" }, "requestId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "status": "FAILED" } } ] }有关更多信息,请参阅 Amazon Security Lake 用户指南中的检查区域状态。
-
有关API详细信息,请参阅 “ListDataLakes AWS CLI
命令参考”。
-
以下代码示例演示如何使用 list-log-sources。
- AWS CLI
-
检索 Amazon Security Lake 日志源
以下
list-log-sources示例列出了指定账户中的 Amazon Security Lake 日志源。aws securitylake list-log-sources \ --accounts"123456789012"输出:
{ "account": "123456789012", "region": "xy-region-1", "sources": [ { "awsLogSource": { "sourceName": "VPC_FLOW", "sourceVersion": "2.0" } }, { "awsLogSource": { "sourceName": "SH_FINDINGS", "sourceVersion": "2.0" } } ] }有关更多信息,请参阅 Amazon Security Lake 用户指南中的源代码管理。
-
有关API详细信息,请参阅 “ListLogSources AWS CLI
命令参考”。
-
以下代码示例演示如何使用 list-subscribers。
- AWS CLI
-
检索 Amazon 安全湖的订阅者
以下
list-subscribers示例列出了特定账户中的所有 Amazon Security Lake 订阅者。aws securitylake list-subscribers输出:
{ "subscribers": [ { "accessTypes": [ "S3" ], "createdAt": "2024-06-04T15:02:28.921000+00:00", "roleArn": "arn:aws:iam::123456789012:role/AmazonSecurityLake-E1WG1ZNPRXT0D4", "s3BucketArn": "DOC-EXAMPLE-BUCKET--usw2-az1--x-s3", "sources": [ { "awsLogSource": { "sourceName": "CLOUD_TRAIL_MGMT", "sourceVersion": "2.0" } }, { "awsLogSource": { "sourceName": "LAMBDA_EXECUTION", "sourceVersion": "1.0" } }, { "customLogSource": { "attributes": { "crawlerArn": "arn:aws:glue:eu-west-2:123456789012:crawler/E1WG1ZNPRXT0D4", "databaseArn": "arn:aws:glue:eu-west-2:123456789012:database/E1WG1ZNPRXT0D4", "tableArn": "arn:aws:glue:eu-west-2:123456789012:table/E1WG1ZNPRXT0D4" }, "provider": { "location": "DOC-EXAMPLE-BUCKET--usw2-az1--x-s3", "roleArn": "arn:aws:iam::123456789012:role/AmazonSecurityLake-E1WG1ZNPRXT0D4" }, "sourceName": "testCustom2" } } ], "subscriberArn": "arn:aws:securitylake:eu-west-2:123456789012:subscriber/E1WG1ZNPRXT0D4", "subscriberEndpoint": "arn:aws:sqs:eu-west-2:123456789012:AmazonSecurityLake-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111-Main-Queue", "subscriberId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "subscriberIdentity": { "externalId": "ext123456789012", "principal": "123456789012" }, "subscriberName": "Test", "subscriberStatus": "ACTIVE", "updatedAt": "2024-06-04T15:02:35.617000+00:00" } ] }有关更多信息,请参阅 Amazon Security Lake 用户指南中的订阅者管理。
-
有关API详细信息,请参阅 “ListSubscribers AWS CLI
命令参考”。
-
以下代码示例演示如何使用 list-tags-for-resource。
- AWS CLI
-
列出现有资源的标签
以下
list-tags-for-resource示例列出了指定的 Amazon Security Lake 订阅者的标签。在此示例中,Owner 标签键没有关联的标签值。您也可以使用此操作列出其他现有 Security Lake 资源的标签。aws securitylake list-tags-for-resource \ --resource-arn"arn:aws:securitylake:us-east-1:123456789012:subscriber/1234abcd-12ab-34cd-56ef-1234567890ab"输出:
{ "tags": [ { "key": "Environment", "value": "Cloud" }, { "key": "CostCenter", "value": "12345" }, { "key": "Owner", "value": "" } ] }有关更多信息,请参阅《亚马逊安全湖用户指南》中的标记亚马逊安全湖资源。
-
有关API详细信息,请参阅 “ListTagsForResource AWS CLI
命令参考”。
-
以下代码示例演示如何使用 register-data-lake-delegated-administrator。
- AWS CLI
-
指定委派的管理员
以下
register-data-lake-delegated-administrator示例将指定 AWS 账户指定为委派的 Amazon Security Lake 管理员。aws securitylake register-data-lake-delegated-administrator \ --account-id123456789012此命令不生成任何输出。
有关更多信息,请参阅 Amazon Security Lake 用户 AWS 指南中的使用 Organizations 管理多个账户。
-
有关API详细信息,请参阅 “RegisterDataLakeDelegatedAdministrator AWS CLI
命令参考”。
-
以下代码示例演示如何使用 tag-resource。
- AWS CLI
-
为现有资源添加标签
以下
tag-resource示例为现有订阅者资源添加标签。要创建新资源并向其添加一个或多个标签,请不要使用此操作。相反,请对要创建的资源类型使用相应的 “创建” 操作。aws securitylake tag-resource \ --resource-arn"arn:aws:securitylake:us-east-1:123456789012:subscriber/1234abcd-12ab-34cd-56ef-1234567890ab"\ --tagskey=Environment,value=Cloud此命令不生成任何输出。
有关更多信息,请参阅《亚马逊安全湖用户指南》中的标记亚马逊安全湖资源。
-
有关API详细信息,请参阅 “TagResource AWS CLI
命令参考”。
-
以下代码示例演示如何使用 untag-resource。
- AWS CLI
-
从现有资源中移除标签
以下
untag-resource示例从现有订阅者资源中删除指定的标签。aws securitylake untag-resource \ --resource-arn"arn:aws:securitylake:us-east-1:123456789012:subscriber/1234abcd-12ab-34cd-56ef-1234567890ab"\ --tagsEnvironmentOwner此命令不生成任何输出。
有关更多信息,请参阅《亚马逊安全湖用户指南》中的标记亚马逊安全湖资源。
-
有关API详细信息,请参阅 “UntagResource AWS CLI
命令参考”。
-
以下代码示例演示如何使用 update-data-lake-exception-subscription。
- AWS CLI
-
更新 Security Lake 异常的通知订阅
以下
update-data-lake-exception-subscription示例更新了通知用户 Security Lake 异常的通知订阅。aws securitylake update-data-lake-exception-subscription \ --notification-endpoint"123456789012"\ --exception-time-to-live30\ --subscription-protocol"email"此命令不生成任何输出。
有关更多信息,请参阅《亚马逊安全湖用户指南》中的亚马逊安全湖疑难解答。
-
有关API详细信息,请参阅 “UpdateDataLakeExceptionSubscription AWS CLI
命令参考”。
-
以下代码示例演示如何使用 update-data-lake。
- AWS CLI
-
示例 1:更新您的数据湖设置
以下
update-data-lake示例更新了您的 Amazon Security Lake 数据湖的设置。您可以使用此操作来指定数据加密、存储和汇总区域设置。aws securitylake update-data-lake \ --configurations '[{"encryptionConfiguration": {"kmsKeyId":"S3_MANAGED_KEY"},"region":"us-east-1","lifecycleConfiguration": {"expiration":{"days":365},"transitions":[{"days":60,"storageClass":"ONEZONE_IA"}]}}, {"encryptionConfiguration": {"kmsKeyId":"S3_MANAGED_KEY"},"region":"us-east-2","lifecycleConfiguration": {"expiration":{"days":365},"transitions":[{"days":60,"storageClass":"ONEZONE_IA"}]}}]' \ --meta-store-manager-role-arn"arn:aws:iam:us-east-1:123456789012:role/service-role/AmazonSecurityLakeMetaStoreManager"输出:
{ "dataLakes": [ { "createStatus": "COMPLETED", "dataLakeArn": "arn:aws:securitylake:us-east-1:522481757177:data-lake/default", "encryptionConfiguration": { "kmsKeyId": "S3_MANAGED_KEY" }, "lifecycleConfiguration": { "expiration": { "days": 365 }, "transitions": [ { "days": 60, "storageClass": "ONEZONE_IA" } ] }, "region": "us-east-1", "replicationConfiguration": { "regions": [ "ap-northeast-3" ], "roleArn": "arn:aws:securitylake:ap-northeast-3:522481757177:data-lake/default" }, "s3BucketArn": "arn:aws:s3:::aws-security-data-lake-us-east-1-gnevt6s8z7bzby8oi3uiaysbr8v2ml", "updateStatus": { "exception": {}, "requestId": "f20a6450-d24a-4f87-a6be-1d4c075a59c2", "status": "INITIALIZED" } }, { "createStatus": "COMPLETED", "dataLakeArn": "arn:aws:securitylake:us-east-2:522481757177:data-lake/default", "encryptionConfiguration": { "kmsKeyId": "S3_MANAGED_KEY" }, "lifecycleConfiguration": { "expiration": { "days": 365 }, "transitions": [ { "days": 60, "storageClass": "ONEZONE_IA" } ] }, "region": "us-east-2", "replicationConfiguration": { "regions": [ "ap-northeast-3" ], "roleArn": "arn:aws:securitylake:ap-northeast-3:522481757177:data-lake/default" }, "s3BucketArn": "arn:aws:s3:::aws-security-data-lake-us-east-2-cehuifzl5rwmhm6m62h7zhvtseogr9", "updateStatus": { "exception": {}, "requestId": "f20a6450-d24a-4f87-a6be-1d4c075a59c2", "status": "INITIALIZED" } } ] }有关更多信息,请参阅亚马逊安全湖用户指南中的亚马逊安全湖入门。
示例 2:在单个区域中配置数据湖
以下
create-data-lake示例在单个 AWS 区域中启用 Amazon 安全湖并配置您的数据湖。aws securitylake create-data-lake \ --configurations '[{"encryptionConfiguration": {"kmsKeyId":"1234abcd-12ab-34cd-56ef-1234567890ab"},"region":"us-east-2","lifecycleConfiguration": {"expiration":{"days":500},"transitions":[{"days":30,"storageClass":"GLACIER"}]}}]' \ --meta-store-manager-role-arn"arn:aws:iam:us-east-1:123456789012:role/service-role/AmazonSecurityLakeMetaStoreManager"输出:
{ "dataLakes": [ { "createStatus": "COMPLETED", "dataLakeArn": "arn:aws:securitylake:us-east-2:522481757177:data-lake/default", "encryptionConfiguration": { "kmsKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "lifecycleConfiguration": { "expiration": { "days": 500 }, "transitions": [ { "days": 30, "storageClass": "GLACIER" } ] }, "region": "us-east-2", "replicationConfiguration": { "regions": [ "ap-northeast-3" ], "roleArn": "arn:aws:securitylake:ap-northeast-3:522481757177:data-lake/default" }, "s3BucketArn": "arn:aws:s3:::aws-security-data-lake-us-east-2-cehuifzl5rwmhm6m62h7zhvtseogr9", "updateStatus": { "exception": {}, "requestId": "77702a53-dcbf-493e-b8ef-518e362f3003", "status": "INITIALIZED" } } ] }有关更多信息,请参阅亚马逊安全湖用户指南中的亚马逊安全湖入门。
-
有关API详细信息,请参阅 “UpdateDataLake AWS CLI
命令参考”。
-
以下代码示例演示如何使用 update-subscriber-notification。
- AWS CLI
-
更新订阅者通知
以下
update-subscriber-notification示例说明如何更新订阅者的通知方法。aws securitylake update-subscriber-notification \ --subscriber-id"12345ab8-1a34-1c34-1bd4-12345ab9012"\ --configuration '{"httpsNotificationConfiguration": {"targetRoleArn":"arn:aws:iam::XXX:role/service-role/RoleName", "endpoint":"https://account-management.$3.$2.securitylake.aws.dev/v1/datalake"}}'输出:
{ "subscriberEndpoint": [ "https://account-management.$3.$2.securitylake.aws.dev/v1/datalake" ] }有关更多信息,请参阅 Amazon Security Lake 用户指南中的订阅者管理。
-
有关API详细信息,请参阅 “UpdateSubscriberNotification AWS CLI
命令参考”。
-
以下代码示例演示如何使用 update-subscriber。
- AWS CLI
-
更新 Amazon Security Lake 订阅者。
以下
update-subscriber示例更新了特定 Security Lake 订阅者的安全湖数据访问源。aws securitylake update-subscriber \ --subscriber-ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111输出:
{ "subscriber": { "accessTypes": [ "LAKEFORMATION" ], "createdAt": "2024-04-19T15:19:44.421803+00:00", "resourceShareArn": "arn:aws:ram:eu-west-2:123456789012:resource-share/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "resourceShareName": "LakeFormation-V3-TKJGBHCKTZ-123456789012", "sources": [ { "awsLogSource": { "sourceName": "LAMBDA_EXECUTION", "sourceVersion": "1.0" } }, { "awsLogSource": { "sourceName": "EKS_AUDIT", "sourceVersion": "2.0" } }, { "awsLogSource": { "sourceName": "ROUTE53", "sourceVersion": "1.0" } }, { "awsLogSource": { "sourceName": "SH_FINDINGS", "sourceVersion": "1.0" } }, { "awsLogSource": { "sourceName": "VPC_FLOW", "sourceVersion": "1.0" } }, { "customLogSource": { "attributes": { "crawlerArn": "arn:aws:glue:eu-west-2:123456789012:crawler/E1WG1ZNPRXT0D4", "databaseArn": "arn:aws:glue:eu-west-2:123456789012:database/E1WG1ZNPRXT0D4", "tableArn": "arn:aws:glue:eu-west-2:123456789012:table/E1WG1ZNPRXT0D4" }, "provider": { "location": "DOC-EXAMPLE-BUCKET--usw2-az1--x-s3", "roleArn": "arn:aws:iam::123456789012:role/AmazonSecurityLake-E1WG1ZNPRXT0D4" }, "sourceName": "testCustom2" } } ], "subscriberArn": "arn:aws:securitylake:eu-west-2:123456789012:subscriber/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "subscriberId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "subscriberIdentity": { "externalId": "123456789012", "principal": "123456789012" }, "subscriberName": "test", "subscriberStatus": "ACTIVE", "updatedAt": "2024-07-18T20:47:37.098000+00:00" } }有关更多信息,请参阅 Amazon Security Lake 用户指南中的订阅者管理。
-
有关API详细信息,请参阅 “UpdateSubscriber AWS CLI
命令参考”。
-
