--- title: Amazon Security Lake description: >- Amazon Security Lake is a security data lake for aggregating and managing security log and event data. breadcrumbs: Docs > Integrations > Amazon Security Lake --- # Amazon Security Lake ## Overview{% #overview %} Amazon Security Lake is a security data lake for aggregating and managing security log and event data. This integration ingests security logs stored in Amazon Security Lake into Datadog for further investigation and real-time threat detection. To learn more about Amazon Security Lake, visit the [Amazon Security Lake user guide](https://docs.aws.amazon.com/security-lake/latest/userguide/) in AWS. ## Setup{% #setup %} ### Prerequisites{% #prerequisites %} 1. Amazon Security Lake must be configured for your AWS account or AWS organization. See the [Amazon Security Lake user guide](https://docs.aws.amazon.com/security-lake/latest/userguide/) for more details. 1. You must have a Datadog account that is using both [Datadog Log Management](https://www.datadoghq.com/product/log-management/) and [Datadog Cloud SIEM](https://www.datadoghq.com/product/cloud-security-management/cloud-siem/). 1. If you haven't already, set up the [Amazon Web Services integration](https://docs.datadoghq.com/integrations/amazon_web_services/) for the AWS account where Amazon Security Lake is storing data. **Note:** If you only want to integrate this AWS Account to use the Amazon Security Lake integration, you can disable metric collection in the [AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services?panel=metric-collection) so that Datadog doesn't monitor your AWS infrastructure and you are not billed for [Infrastructure Monitoring](https://www.datadoghq.com/product/infrastructure-monitoring/). ### Log collection{% #log-collection %} 1. Add the following IAM policy to your existing `DatadogIntegrationRole` IAM role so that Datadog can ingest new log files added to your security lake. ```yaml { "Version": "2012-10-17", "Statement": [ { "Sid": "DatadogSecurityLakeAccess", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::aws-security-data-lake-*" } ] } ``` In the AWS console for Amazon Security Lake, create a subscriber for Datadog and fill in the form. For more information on an Amazon Security Lake subscriber, read the [Amazon Security Lake user guide](https://docs.aws.amazon.com/security-lake/latest/userguide/). - Enter `Datadog` for Subscriber name. - Select `All log and event sources` or `Specific log and event sources` to send to Datadog. - Select `S3` as the Data access method. {% callout %} # Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu, app.ddog-gov.com 3. In the same form, fill in the Subscriber Credentials. - For **Account ID**, enter `464622532012`. - For **External ID**, open a new tab and go to the [AWS Integration page](https://app.datadoghq.com/integrations/amazon-web-services?panel=account-details) in Datadog for your AWS Account. The **AWS External ID** is on the **Account Details** tab. Copy and paste it into the form on AWS. - For **Subscriber role**, enter `DatadogSecurityLakeRole`. **Note:** This role will not actually be used by Datadog since the `DatadogIntegrationRole` will have the permissions needed from step 1. - For **API destination role**, enter `DatadogSecurityLakeAPIDestinationRole`. - For **Subscription endpoint**, this value depends on the [Datadog site](https://docs.datadoghq.com/getting_started/site/) you are using: `https://api. /api/intake/aws/securitylake` **Note:** If the endpoint above doesn't reflect your region, toggle the **Datadog site** dropdown menu to the right of this documentation page to switch regions. - For **HTTPS key name**, enter `DD-API-KEY`. - For **HTTPS key value**, open a new tab and go to the [API Keys page](https://app.datadoghq.com/organization-settings/api-keys) in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS. {% /callout %} {% callout %} # Important note for users on the following Datadog sites: ap1.datadoghq.com 3. In the same form, fill in the Subscriber Credentials. - For **Account ID**, enter `417141415827`. - For **External ID**, open a new tab and go to the [AWS Integration page](https://app.datadoghq.com/integrations/amazon-web-services?panel=account-details) in Datadog for your AWS Account. The **AWS External ID** is on the **Account Details** tab. Copy and paste it into the form on AWS. - For **Subscriber role**, enter `DatadogSecurityLakeRole`. **Note:** This role will not actually be used by Datadog since the `DatadogIntegrationRole` will have the permissions needed from step 1. - For **API destination role**, enter `DatadogSecurityLakeAPIDestinationRole`. - For **Subscription endpoint**, this value depends on the [Datadog site](https://docs.datadoghq.com/getting_started/site/) you are using: `https://api. /api/intake/aws/securitylake` **Note:** If the endpoint above doesn't reflect your region, toggle the **Datadog site** dropdown menu to the right of this documentation page to switch regions. - For **HTTPS key name**, enter `DD-API-KEY`. - For **HTTPS key value**, open a new tab and go to the [API Keys page](https://app.datadoghq.com/organization-settings/api-keys) in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS. {% /callout %} {% callout %} # Important note for users on the following Datadog sites: ap2.datadoghq.com 3. In the same form, fill in the Subscriber Credentials. - For **Account ID**, enter `412381753143`. - For **External ID**, open a new tab and go to the [AWS Integration page](https://app.datadoghq.com/integrations/amazon-web-services?panel=account-details) in Datadog for your AWS Account. The **AWS External ID** is on the **Account Details** tab. Copy and paste it into the form on AWS. - For **Subscriber role**, enter `DatadogSecurityLakeRole`. **Note:** This role will not actually be used by Datadog since the `DatadogIntegrationRole` will have the permissions needed from step 1. - For **API destination role**, enter `DatadogSecurityLakeAPIDestinationRole`. - For **Subscription endpoint**, this value depends on the [Datadog site](https://docs.datadoghq.com/getting_started/site/) you are using: `https://api. /api/intake/aws/securitylake` **Note:** If the endpoint above doesn't reflect your region, toggle the **Datadog site** dropdown menu to the right of this documentation page to switch regions. - For **HTTPS key name**, enter `DD-API-KEY`. - For **HTTPS key value**, open a new tab and go to the [API Keys page](https://app.datadoghq.com/organization-settings/api-keys) in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS. {% /callout %} Click **Create** to complete the subscriber creation.Wait several minutes, then start exploring your logs from Amazon Security Lake in [Datadog's log explorer](https://app.datadoghq.com/logs?query=source%3Aamazon-security-lake&cols=host%2Cservice%2C%40task_name%2C%40identity.user.type%2Caws.source%2C%40network.client.ip%2C%40identity.session.mfa%2C%40evt.name%2C%40connection_info.direction&index=%2A&messageDisplay=inline). To learn more about how you can use this integration for real-time threat detection, check out the [blog](https://www.datadoghq.com/blog/analyze-amazon-security-lake-logs-with-datadog). ## Data Collected{% #data-collected %} ### Metrics{% #metrics %} The Amazon Security Lake integration does not include any metrics. ### Events{% #events %} The Amazon Security Lake integration does not include any events. ### Service Checks{% #service-checks %} The Amazon Security Lake integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} ### Permissions{% #permissions %} Review the [troubleshooting guide](https://docs.datadoghq.com/integrations/guide/error-datadog-not-authorized-sts-assume-role/#pagetitle) to make sure your AWS account has correctly set up the IAM role for Datadog. ### Creating subscribers{% #creating-subscribers %} Review the [Amazon Security Lake user guide](https://docs.aws.amazon.com/security-lake/latest/userguide/) on creating a subscriber for troubleshooting guidance. Need additional help? Contact [Datadog support](https://docs.datadoghq.com/help/). ## Further Reading{% #further-reading %} - [Highlights from AWS re:Invent 2022](https://www.datadoghq.com/blog/aws-reinvent-2022-recap/)