Amazon Security Lake

Overview

Amazon Security Lake is a security data lake for aggregating and managing security log and event data.

This integration ingests security logs stored in Amazon Security Lake into Datadog for further investigation and real-time threat detection. To learn more about Amazon Security Lake, visit the Amazon Security Lake user guide in AWS.

Setup

Prerequisites

  1. Amazon Security Lake must be configured for your AWS account or AWS organization. See the Amazon Security Lake user guide for more details.
  2. You must have a Datadog account that is using both Datadog Log Management and Datadog Cloud SIEM.
  3. If you haven’t already, set up the Amazon Web Services integration for the AWS account where Amazon Security Lake is storing data.

Note: If you only want to integrate this AWS Account to use the Amazon Security Lake integration, you can disable metric collection in the AWS integration page so that Datadog doesn’t monitor your AWS infrastructure and you are not billed for Infrastructure Monitoring.

Log collection

  1. Add the following IAM policy to your existing DatadogIntegrationRole IAM role so that Datadog can ingest new log files added to your security lake.

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "DatadogSecurityLakeAccess",
              "Effect": "Allow",
              "Action": [
                  "s3:GetObject"
              ],
              "Resource": "arn:aws:s3:::aws-security-data-lake-*"
          }
      ]
    }

  2. In the AWS console for Amazon Security Lake, create a subscriber for Datadog and fill in the form. For more information on an Amazon Security Lake subscriber, read the Amazon Security Lake user guide.

    • Enter Datadog for Subscriber name.
    • Select All log and event sources or Specific log and event sources to send to Datadog.
    • Select S3 as the Data access method.

  1. In the same form, fill in the Subscriber Credentials.
    • For Account ID, enter 464622532012.

    • For External ID, open a new tab and go to the AWS Integration page in Datadog for your AWS Account. The AWS External ID is on the Account Details tab. Copy and paste it into the form on AWS.

    • For Subscriber role, enter DatadogSecurityLakeRole. Note: This role will not actually be used by Datadog since the DatadogIntegrationRole will have the permissions needed from step 1.

    • For API destination role, enter DatadogSecurityLakeAPIDestinationRole.

    • For Subscription endpoint, this value depends on the Datadog site you are using: https://api./api/intake/aws/securitylake

      Note: If the endpoint above doesn’t reflect your region, toggle the Datadog site dropdown menu to the right of this documentation page to switch regions.

    • For HTTPS key name, enter DD-API-KEY.

    • For HTTPS key value, open a new tab and go to the API Keys page in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS.

  1. In the same form, fill in the Subscriber Credentials.
    • For Account ID, enter 417141415827.

    • For External ID, open a new tab and go to the AWS Integration page in Datadog for your AWS Account. The AWS External ID is on the Account Details tab. Copy and paste it into the form on AWS.

    • For Subscriber role, enter DatadogSecurityLakeRole. Note: This role will not actually be used by Datadog since the DatadogIntegrationRole will have the permissions needed from step 1.

    • For API destination role, enter DatadogSecurityLakeAPIDestinationRole.

    • For Subscription endpoint, this value depends on the Datadog site you are using: https://api./api/intake/aws/securitylake

      Note: If the endpoint above doesn’t reflect your region, toggle the Datadog site dropdown menu to the right of this documentation page to switch regions.

    • For HTTPS key name, enter DD-API-KEY.

    • For HTTPS key value, open a new tab and go to the API Keys page in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS.

  1. Click Create to complete the subscriber creation.
  2. Wait several minutes, then start exploring your logs from Amazon Security Lake in Datadog’s log explorer.

To learn more about how you can use this integration for real-time threat detection, check out the blog.

Data Collected

Metrics

The Amazon Security Lake integration does not include any metrics.

Events

The Amazon Security Lake integration does not include any events.

Service Checks

The Amazon Security Lake integration does not include any service checks.

Troubleshooting

Permissions

Review the troubleshooting guide to make sure your AWS account has correctly set up the IAM role for Datadog.

Creating subscribers

Review the Amazon Security Lake user guide on creating a subscriber for troubleshooting guidance.

Need additional help? Contact Datadog support.

Further reading

Additional helpful documentation, links, and articles: