Amazon Security Lake Alert Channel
Lacework integrate with Amazon Security Lake, a security data lake that is based on the OCSF standard. Lacework integrates as a security data source and provides real-time security findings. These security findings include software and Infrastructure-as-Code (IaC) vulnerabilities, cloud resource security misconfigurations, and security threat detections.
How it Works
Lacework security findings are sent to Amazon EventBridge and then delivered to Amazon SQS queue. A Lambda function receives these security findings from the queue and then transforms them into OCSF format for delivery to the Amazon Security Lake S3 bucket as Parquet formatted files. The Amazon Security Lake Service then ingest these files and their Lacework security findings. This integration used Amazon S3, Lambda, EventBridge, SQS and Cloudwatch AWS Services. This integration will incur costs due to the use of the services. Costs will vary depending on the size of the environment and the number of security findings found in the environment.
CloudFormation Deployment
CloudFormation is used to configure the Lacework integration with Amazon Security Lake. The CloudFormation template creates the EventBridge rules, IAM permissions, SNS topic, SQS queue, Lambda event transformation function and the Lacework outbound security alert channel.
Prerequisites
Verify the following prerequisites are met before proceeding:
- Administrator access to a Lacework instance
- Lacework Admin API Key and Secret
Create the Amazon Security Lake Custom Source for Lacework Security Findings
Do the following:
Expand to view procedure
- Open the Security Lake console at https://console.aws.amazon.com/securitylake/.
- Select the region where you want to create the custom source, in the upper-right corner of the page.
- Choose Custom sources in the navigation pane, and then choose Create custom source.
- In the Custom source details section, enter lacework for your custom source name. Then, select the Security Finding OCSF event class.
- Enter the AWS account ID from which the Lacework Amazon Security Lake Alert Channel will be deployed. This account will write logs and events to the data lake.
- For the AWS account with permissions to write logs and events to the data lake using the Lacework Amazon Security Lake Alert Channel, enter the AWS account ID and External ID. The External ID is a random alphanumeric identifier that is used to prevent unauthorized access to your AWS resources.
- For Service Access, create a new IAM role or use an existing IAM role that gives Security Lake permission to invoke the AWS Glue crawler.
- Choose Create.
- After the custom source is created, take note of the Amazon Security Lake S3 location.
Deploy the CloudFormation Template
Follow these steps:
Expand to view procedure
Select the Launch Stack button to go to your CloudFormation console and launch the template.
For most deployments, you only need the Basic Configuration parameters.
Specify the following Basic Configuration parameters:
- Enter a Stack name for the stack.
- Enter the Amazon Security Lake S3 Location. Enter the S3 location that was provided when you set up the Amazon Security Lake Custom Source for Lacework.
- Enter the Amazon Security Lake Role ARN. Enter the Amazon Security Lake Role ARN that was created when you set up the Amazon Security Lake Custom Source for Lacework. It should have the naming scheme arn:aws:iam::AWS account ID:role/AmazonSecurityLake-Provider-custom resource name-region.
- Enter Your Lacework URL.
- If your Lacework instance has the Organization feature enabled, enter the Lacework Sub-Account Name. Otherwise, leave this field blank.
- Enter your Lacework Access Key ID and Lacework Secret Key that you copied from your API Keys file. See Generate API Access Keys and Tokens.
Click Next through to your stack Review.
Accept the AWS CloudFormation terms and click Create stack.
The Amazon Security Lake S3 bucket that is provided when you create your custom resource is created in your AWS account. You can configure a data retention policy to automatically delete data after a period of time. This can be achieved through a S3 Lifecycle expiration rule. See S3 - Managing your storage lifecycle to learn how to configure this.
Troubleshooting
Expand to view troubleshooting information
Initial Setup Troubleshooting
Some initial set up during the CloudFormation deployment is handled by a Lambda function stack-name-LaceworkAmazonSecurityLakeSetupFunction-xxxx. Specifically, it configures the Alert Channel and Alert Rules that are required to send Lacework Security Alerts to the second Lambda function for transformation into OCSF for Amazon Security Lake.
To investigate any issues, complete the following steps:
- Go to Lambda in your AWS management console.
- Find the Lambda function with the name stack-name-LaceworkAmazonSecurityLakeSetupFunction-xxxx.
- Click the Monitor tab.
- Click View logs in CloudWatch to launch CloudWatch into a new tab.
- View the Log stream debug for errors.
Security Findings Event Troubleshooting
If there are issues with Lacework Security Alerts being transformed to OCSF for Amazon Security Lake, investigate the Lambda function stack-name-LaceworkEventSetupFunction-xxxx. It transforms Lacework Security alerts into OCSF Security Findings format and delivers these in Parquet file format to the Amazon Security Lake S3 bucket. To investigate any issues, use the following steps:
- Go to Lambda in your AWS management console.
- Find the Lambda function with the name stack-name-LaceworkAmazonSecurityLakeEventFunction-xxxx.
- Click the Monitor tab.
- Click View logs in CloudWatch to launch CloudWatch into a new tab.
- View the Log stream debug for errors.
Updates
Updates to the integration including updates due to OCSF schema changes are provided through CloudFormation template updates. This may upgrade architecture and the Lambda functions.