Amazon Security Lake

Amazon Security Lake, initially introduced as a preview release at the 2022 re:Invent event, has now reached general availability. This powerful service allows organizations to centralize security data from various sources, including Amazon Web Services (AWS) environments, software as a service (SaaS) providers, on-premises systems, and cloud sources. The data is stored in a purpose-built data lake within the customer’s AWS account. With support for the Open Cybersecurity Schema Framework (OCSF), Amazon Security Lake normalizes and combines security data from AWS and a wide range of other security sources, providing analysts and security engineers with enhanced visibility to investigate and respond to security events. This article will delve into the workings of Amazon Security Lake, highlight popular use cases, and discuss recent updates since its preview launch.

Facilitate security investigations with elevated visibility

One of the key features of Amazon Security Lake is its ability to streamline security investigations. By aggregating, normalizing, and optimizing data storage in a single security data lake, Security Lake simplifies the process for security teams. The service automatically normalizes AWS logs and security findings to the OCSF schema, including various events such as AWS CloudTrail management events, Amazon VPC Flow Logs, Amazon Route 53 Resolver query logs, and AWS Security Hub security findings from Amazon security services and partner solutions. By centralizing security-related logs and findings in a unified format, Security Operations teams can save time and dedicate more resources to investigating security issues. This centralization eliminates the need to collect and normalize logs manually, freeing up valuable time for security analysts.

Simplify compliance monitoring and reporting

Amazon Security Lake enables customers to centralize security data into one or more rollup Regions, making it easier to manage compliance and reporting obligations across different regions. Monitoring compliance across multiple log sources, AWS Regions, and accounts can be challenging, but Security Lake simplifies the process by collecting and centralizing this evidence. Security teams can significantly reduce the time spent on log discovery and allocate more resources to compliance monitoring and reporting.

Analyze multiple years of security data quickly

Security Lake integrates with third-party security services, such as security information and event management (SIEM) and extended detection and response (XDR) tools, as well as popular data analytics services like Amazon Athena and Amazon OpenSearch Service. This integration allows security teams to analyze vast amounts of data efficiently. By gaining deep insights into their security data, organizations can take prompt action to protect against potential threats. Security Lake also enforces least-privilege controls by centralizing data and implementing robust access controls, ensuring that only authorized individuals can access the security lake.

Unify security data management across hybrid environments

With the centralized data repository provided by Security Lake, security teams gain a comprehensive view of security data across hybrid and multicloud environments. The service allows storage and analysis of security-related logs and data from various sources, including both cloud-based and on-premises systems. By leveraging automation and machine learning solutions, security teams can identify anomalies and potential security risks more efficiently, leading to better risk management and overall security posture.

Updates since the preview launch

Since the preview launch, Amazon has made several improvements to Amazon Security Lake. Logs and events from natively supported AWS services are now automatically normalized to the latest version of the Open Cybersecurity Schema Framework (OCSF). CloudTrail management events are now divided into three distinct OCSF event classes: Authentication, Account Change, and API Activity.

The usability of logs has been enhanced through improvements in resource names and schema mapping. Onboarding has been simplified with the introduction of automated AWS Identity and Access Management (IAM) role creation directly from the console. Additionally, users now have the flexibility to collect CloudTrail sources independently, including management events, Amazon S3 data events, and AWS Lambda events.

To improve query performance, Amazon Security Lake has transitioned from hourly to daily time partitioning in Amazon S3. This transition results in faster and more efficient data retrieval. Moreover, Amazon CloudWatch metrics have been added to enable proactive monitoring of the log ingestion process, aiding in the identification of collection gaps or surges.

Ecosystem integrations

Amazon Security Lake offers expanded support for third-party integrations, with the addition of 23 new partners. These integrations include both source partners and subscribing partners. Source partners such as Aqua SecurityClarotyConfluentDarktrace, and ExtraHop can now send data directly to Security Lake. Subscribing partners, including ChaosSearchNew Relic, Inc.RipjarSOC Prime, and Stellar Cyber, can integrate their tools and services with Security Lake. The service also works with numerous third-party security, automation, and analytics tools, such as DatadogIBMRapid7SentinelOne, and Splunk. Additionally, Security Lake has established partnerships with various service providers, including AccentureDeloittePwC, and Wipro, to deliver comprehensive solutions.

Get help from AWS Professional Services

AWS Professional Services offers expert guidance to help customers achieve their desired outcomes when using AWS. The teams of data architects and security engineers collaborate with customers to develop enterprise solutions. AWS Professional Services follows best practices and recommendations to support customers in integrating data into Security Lake. They provide ready-built data transformations, visualizations, and AI/ML workflows to help Security Operations teams realize value rapidly.


With the general availability of Amazon Security Lake, organizations can now leverage its powerful features to centralize, normalize, and optimize their security data. By utilizing the 15-day free trial, customers can experience the benefits firsthand and provide feedback on their experiences, use cases, and solutions. The comprehensive documentation, demo videos, and webinars available from Amazon assist users in getting started and building their first data lake. By adopting Security Lake, organizations can streamline their security incident detection and response across multicloud and hybrid environments, leading to improved security and better protection against potential threats.




Skip to content