Security

Building a Security Data Lake with Amazon Security Lake - Unified Analysis in OCSF Format

Learn about Security Lake's automatic aggregation of CloudTrail, VPC Flow Logs, and Route 53 logs, OCSF normalization, and integration with subscribers.

約 3 分で読めます

Overview of Security Lake

Security Lake is a service that automatically aggregates and normalizes security data from AWS and third-party sources. Previously, security analysis required collecting and transforming CloudTrail logs, VPC Flow Logs, and GuardDuty findings individually, but Security Lake automatically converts these into OCSF format and aggregates them into an S3-based data lake. Data is stored in Apache Iceberg table format and can be queried directly with SQL from Athena.

Data Sources and OCSF Normalization

Security Lake automatically collects 8 types of AWS-native data sources: CloudTrail management events, CloudTrail data events, VPC Flow Logs, Route 53 Resolver logs, Security Hub, Lambda execution logs, EKS audit logs, and WAF logs. Third-party data sources (CrowdStrike, Palo Alto Networks, etc.) can also be added as custom sources. OCSF is an open framework that converts security events from different sources into a unified schema, enabling queries using the same column names and data types regardless of source.

Subscribers and Analysis

Subscribers are consumers that access data in the data lake. Data access subscribers can query data directly on S3, analyzing it with Athena or Redshift Spectrum. Query access subscribers receive SQS notifications when new data arrives, enabling real-time analysis pipelines. SIEM tools such as Splunk and Datadog can be configured as subscribers to integrate Security Lake data into existing security operations tools. To deepen your understanding of Security Lake, specialized books on Amazon can also be helpful.

Security Lake Pricing

Security Lake pricing consists of data ingestion volume and storage volume. Data ingestion from AWS-native sources costs approximately 0.75 USD per GB, with S3 storage charges applied separately. Since data is stored in Apache Iceberg format, Athena query costs are based on S3 scan volume (approximately 5 USD per TB). Set data retention periods per region and tier older data to Glacier automatically to reduce storage costs. When enabling across an entire Organization, a phased rollout starting with high-log-volume accounts and monitoring costs along the way is recommended.

Summary

Security Lake is a data lake service that automatically aggregates AWS security data in OCSF format. Organizations integration centralizes security data across the entire organization, enabling cross-cutting analysis with Athena and SIEM tools. It is particularly effective as a security operations foundation for large-scale organizations.

Related Services

Amazon Security LakeA data lake service that centralizes security data in OCSF formatAmazon AthenaA serverless query service that lets you analyze data in S3 using standard SQLAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practices

Related Articles

Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph AnalysisLearn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.BI Dashboard Visualization - Building a Data-Driven Decision Platform with Amazon QuickSightExplains how to build interactive BI dashboards with Amazon QuickSight and a serverless data analytics platform with Athena integration. Covers high-speed visualization with the SPICE engine and practical methods for sharing insights across the organization.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Amazon Security LakeA service that automatically normalizes security data from CloudTrail, VPC Flow Logs, Route 53 Resolver logs, and other sources into OCSF format, centralizing it in an S3-based security data lakeAWS Lake FormationA service that centralizes data lake construction, management, and security, providing column-level and row-level fine-grained access control for data on S3AWS Lake FormationA service that simplifies building, managing, and securing data lakesCentralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.