Amazon Security Lake is a security data lake for aggregating and managing security log and event data.
This integration ingests security logs stored in Amazon Security Lake into Datadog for further investigation and real-time threat detection. To learn more about Amazon Security Lake, visit the Amazon Security Lake user guide in AWS.
If you haven’t already, set up the Amazon Web Services integration for the AWS account where Amazon Security Lake is storing data.
Note: If you only want to integrate this AWS Account to use the Amazon Security Lake integration, you can disable metric collection in the AWS integration page so that Datadog doesn’t monitor your AWS infrastructure and you are not billed for Infrastructure Monitoring.
In the AWS console for Amazon Security Lake, create a subscriber for Datadog and fill in the form. For more information on an Amazon Security Lake subscriber, read the Amazon Security Lake user guide.
Enter Datadog for Subscriber name.
Select All log and event sources or Specific log and event sources to send to Datadog.
Select S3 as the Data access method.
In the same form, fill in the Subscriber Credentials.
For Account ID, enter 464622532012.
For External ID, open a new tab and go to the AWS Integration page in Datadog for your AWS Account. The AWS External ID is on the Account Details tab. Copy and paste it into the form on AWS.
For Subscriber role, enter DatadogSecurityLakeRole. Note: This role will not actually be used by Datadog since the DatadogIntegrationRole will have the permissions needed from step 1.
For API destination role, enter DatadogSecurityLakeAPIDestinationRole.
For Subscription endpoint, this value depends on the Datadog site you are using: https://api.datadoghq.com/api/intake/aws/securitylake
Note: If the endpoint above doesn’t reflect your region, toggle the Datadog site dropdown menu to the right of this documentation page to switch regions.
For HTTPS key name, enter DD-API-KEY.
For HTTPS key value, open a new tab and go to the API Keys page in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS.
In the same form, fill in the Subscriber Credentials.
For Account ID, enter 417141415827.
For External ID, open a new tab and go to the AWS Integration page in Datadog for your AWS Account. The AWS External ID is on the Account Details tab. Copy and paste it into the form on AWS.
For Subscriber role, enter DatadogSecurityLakeRole. Note: This role will not actually be used by Datadog since the DatadogIntegrationRole will have the permissions needed from step 1.
For API destination role, enter DatadogSecurityLakeAPIDestinationRole.
For Subscription endpoint, this value depends on the Datadog site you are using: https://api.datadoghq.com/api/intake/aws/securitylake
Note: If the endpoint above doesn’t reflect your region, toggle the Datadog site dropdown menu to the right of this documentation page to switch regions.
For HTTPS key name, enter DD-API-KEY.
For HTTPS key value, open a new tab and go to the API Keys page in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS.
Click Create to complete the subscriber creation.
Wait several minutes, then start exploring your logs from Amazon Security Lake in Datadog’s log explorer.
To learn more about how you can use this integration for real-time threat detection, check out the blog.
