Amazon Security Lake is a security data lake for aggregating and managing security log and event data.
This integration ingests security logs stored in Amazon Security Lake into Datadog for further investigation and real-time threat detection. To learn more about Amazon Security Lake, visit the Amazon Security Lake user guide in AWS.
Setup
Prerequisites
Amazon Security Lake must be configured for your AWS account or AWS organization. See the Amazon Security Lake user guide for more details.
If you haven’t already, set up the Amazon Web Services integration for the AWS account where Amazon Security Lake is storing data.
Note: If you only want to integrate this AWS Account to use the Amazon Security Lake integration, you can disable metric collection in the AWS integration page so that Datadog doesn’t monitor your AWS infrastructure and you are not billed for Infrastructure Monitoring.
Log collection
Add the following IAM policy to your existing DatadogIntegrationRole IAM role so that Datadog can ingest new log files added to your security lake.
In the AWS console for Amazon Security Lake, create a subscriber for Datadog and fill in the form. For more information on an Amazon Security Lake subscriber, read the Amazon Security Lake user guide.
Enter Datadog for Subscriber name.
Select All log and event sources or Specific log and event sources to send to Datadog.
Select S3 as the Data access method.
In the same form, fill in the Subscriber Credentials.
For Account ID, enter 464622532012.
For External ID, open a new tab and go to the AWS Integration page in Datadog for your AWS Account. The AWS External ID is on the Account Details tab. Copy and paste it into the form on AWS.
For Subscriber role, enter DatadogSecurityLakeRole. Note: This role will not actually be used by Datadog since the DatadogIntegrationRole will have the permissions needed from step 1.
For API destination role, enter DatadogSecurityLakeAPIDestinationRole.
For Subscription endpoint, this value depends on the Datadog site you are using: https://api./api/intake/aws/securitylake
Note: If the endpoint above doesn’t reflect your region, toggle the Datadog site dropdown menu to the right of this documentation page to switch regions.
For HTTPS key name, enter DD-API-KEY.
For HTTPS key value, open a new tab and go to the API Keys page in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS.
In the same form, fill in the Subscriber Credentials.
For Account ID, enter 417141415827.
For External ID, open a new tab and go to the AWS Integration page in Datadog for your AWS Account. The AWS External ID is on the Account Details tab. Copy and paste it into the form on AWS.
For Subscriber role, enter DatadogSecurityLakeRole. Note: This role will not actually be used by Datadog since the DatadogIntegrationRole will have the permissions needed from step 1.
For API destination role, enter DatadogSecurityLakeAPIDestinationRole.
For Subscription endpoint, this value depends on the Datadog site you are using: https://api./api/intake/aws/securitylake
Note: If the endpoint above doesn’t reflect your region, toggle the Datadog site dropdown menu to the right of this documentation page to switch regions.
For HTTPS key name, enter DD-API-KEY.
For HTTPS key value, open a new tab and go to the API Keys page in Datadog to find or create a Datadog API key. Copy and paste it into the form on AWS.
Click Create to complete the subscriber creation.
Wait several minutes, then start exploring your logs from Amazon Security Lake in Datadog’s log explorer.
To learn more about how you can use this integration for real-time threat detection, check out the blog.
Data Collected
Metrics
The Amazon Security Lake integration does not include any metrics.
Events
The Amazon Security Lake integration does not include any events.
Service Checks
The Amazon Security Lake integration does not include any service checks.
Troubleshooting
Permissions
Review the troubleshooting guide to make sure your AWS account has correctly set up the IAM role for Datadog.
