Syntax Properties Return values Examples

AWS::SecurityLake::AwsLogSource

Adds a natively supported AWS service as an AWS source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it.

Important

If you want to create multiple sources using AWS::SecurityLake::AwsLogSource, you must use the DependsOn attribute to create the sources sequentially. With the DependsOn attribute you can specify that the creation of a specific AWSLogSourcefollows another. When you add a DependsOn attribute to a resource, that resource is created only after the creation of the resource specified in the DependsOn attribute. For an example, see Add AWS log sources.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::SecurityLake::AwsLogSource",
  "Properties" : {
      "Accounts" : [ String, ... ],
      "DataLakeArn" : String,
      "SourceName" : String,
      "SourceVersion" : String
    }
}

YAML


Type: AWS::SecurityLake::AwsLogSource
Properties:
  Accounts: 
    - String
  DataLakeArn: String
  SourceName: String
  SourceVersion: String

Properties

Accounts

Specify the AWS account information where you want to enable Security Lake.

Required: No

Type: Array of String

Update requires: No interruption

DataLakeArn

The Amazon Resource Name (ARN) used to create the data lake.

Required: Yes

Type: String

Minimum: 1

Maximum: 256

Update requires: Replacement

SourceName

The name for a AWS source. This must be a Regionally unique value. For the list of sources supported by Amazon Security Lake see Collecting data from AWS services in the Amazon Security Lake User Guide.

Required: Yes

Type: String

Update requires: Replacement

SourceVersion

The version for a AWS source. For more details about source versions supported by Amazon Security Lake see OCSF source identification in the Amazon Security Lake User Guide. This must be a Regionally unique value.

Required: Yes

Type: String

Pattern: ^(latest|[0-9]\.[0-9])$

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic ref function, ref returns the AwsLogSource name. For example, VPC_FLOW.

For more information about using the Ref function, see Ref.

Examples

Add AWS log sources

After deploying Security Lake, use this example to add AWS log sources.

JSON


{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Security Lake Already Deployed",
"Resources": {
    "SecurityLakeSourcesRoute53": {
        "Type": "AWS::SecurityLake::AwsLogSource",
        "Properties": {
            "DataLakeArn": {
                "Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
            },
            "SourceName": "ROUTE53",
            "SourceVersion": 2
        }
    },
    "SecurityLakeSourcesSecurityHub": {
        "Type": "AWS::SecurityLake::AwsLogSource",
        "Properties": {
            "DataLakeArn": {
                "Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
            },
            "SourceName": "SH_FINDINGS",
            "SourceVersion": 2
        },
        "DependsOn": "SecurityLakeSourcesRoute53"
    },
    "SecurityLakeSourcesVPCFlow": {
        "Type": "AWS::SecurityLake::AwsLogSource",
        "Properties": {
            "DataLakeArn": {
                "Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
            },
            "SourceName": "VPC_FLOW",
            "SourceVersion": 2
        },
        "DependsOn": "SecurityLakeSourcesSecurityHub"
    },
    "SecurityLakeSourcesCloudTrailMgmt": {
        "Type": "AWS::SecurityLake::AwsLogSource",
        "Properties": {
            "DataLakeArn": {
                "Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
            },
            "SourceName": "CLOUD_TRAIL_MGMT",
            "SourceVersion": 2
        },
        "DependsOn": "SecurityLakeSourcesVPCFlow"
    },
    "SecurityLakeSourcesLambdaExecution": {
        "Type": "AWS::SecurityLake::AwsLogSource",
        "Properties": {
            "DataLakeArn": {
                "Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
            },
            "SourceName": "LAMBDA_EXECUTION",
            "SourceVersion": 2
        },
        "DependsOn": "SecurityLakeSourcesCloudTrailMgmt"
    },
    "SecurityLakeSourcesS3": {
        "Type": "AWS::SecurityLake::AwsLogSource",
        "Properties": {
            "DataLakeArn": {
                "Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
            },
            "SourceName": "S3_DATA",
            "SourceVersion": 2
        },
        "DependsOn": "SecurityLakeSourcesLambdaExecution"
    },
    "SecurityLakeSourcesEKSAudit": {
        "Type": "AWS::SecurityLake::AwsLogSource",
        "Properties": {
            "DataLakeArn": {
                "Fn::Sub": "arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default"
            },
            "SourceName": "EKS_AUDIT",
            "SourceVersion": 2
        },
        "DependsOn": "SecurityLakeSourcesS3"
    }
}
}

YAML



AWSTemplateFormatVersion: '2010-09-09'
Description: Security Lake Already Deployed
Resources:
  SecurityLakeSourcesRoute53:
    Type: AWS::SecurityLake::AwsLogSource
    Properties:
      DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
      SourceName: ROUTE53
      SourceVersion: 2
  SecurityLakeSourcesSecurityHub:
    Type: AWS::SecurityLake::AwsLogSource
    Properties:
      DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
      SourceName: SH_FINDINGS
      SourceVersion: 2
    DependsOn: SecurityLakeSourcesRoute53
  SecurityLakeSourcesVPCFlow:
    Type: AWS::SecurityLake::AwsLogSource
    Properties:
      DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
      SourceName: VPC_FLOW
      SourceVersion: 2
    DependsOn: SecurityLakeSourcesSecurityHub
  SecurityLakeSourcesCloudTrailMgmt:
    Type: AWS::SecurityLake::AwsLogSource
    Properties:
      DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
      SourceName: CLOUD_TRAIL_MGMT
      SourceVersion: 2
    DependsOn: SecurityLakeSourcesVPCFlow
  SecurityLakeSourcesLambdaExecution:
    Type: AWS::SecurityLake::AwsLogSource
    Properties:
      DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
      SourceName: LAMBDA_EXECUTION
      SourceVersion: 2
    DependsOn: SecurityLakeSourcesCloudTrailMgmt
  SecurityLakeSourcesS3:
    Type: AWS::SecurityLake::AwsLogSource
    Properties:
      DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
      SourceName: S3_DATA
      SourceVersion: 2
    DependsOn: SecurityLakeSourcesLambdaExecution
  SecurityLakeSourcesEKSAudit:
    Type: AWS::SecurityLake::AwsLogSource
    Properties:
      DataLakeArn: !Sub arn:aws:securitylake:${AWS::Partition}:${AWS::AccountId}:data-lake/default
      SourceName: EKS_AUDIT
      SourceVersion: 2
    DependsOn: SecurityLakeSourcesS3

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Security Lake

AWS::SecurityLake::DataLake