Amazon Security Lake

Amazon Security Lake is a service that automatically centralizes an organization's security data from cloud, on-premises, and custom sources into a purpose-built data lake stored in your own Amazon S3. It manages the data lifecycle to help you optimize storage and supports OCSF (Open Cybersecurity Schema Framework) for normalized security data analysis.

1 APIs 8 Features

Data LakeSecuritySIEMThreat Detection

APIs

Amazon Security Lake API

The Amazon Security Lake API provides programmatic access to create and manage data lakes, data sources, subscribers, and log sources for centralizing and analyzing security dat...

Features

Automatic Data Centralization

Automatically centralizes security data from AWS services, third-party tools, and custom sources into a single data lake.

OCSF Normalization

Converts security data to the Open Cybersecurity Schema Framework (OCSF) for standardized analysis across tools.

Apache Parquet Format

Stores all security data in Apache Parquet format optimized for analytical query performance.

Multi-Account Support

Centralizes security data across an entire AWS Organization from all accounts and regions.

Lifecycle Management

Automatically manages storage lifecycle with configurable retention and tiering policies.

Subscriber Access

Grant third-party SIEMs and analytics tools direct query access to your security data lake.

Native AWS Integration

Native connectors for CloudTrail, VPC Flow Logs, Route 53, Security Hub, and EKS audit logs.

Custom Log Sources

Ingest custom and third-party security data sources in OCSF format.

Use Cases

Security Data Centralization

Aggregate all security data from across a multi-account AWS environment into one queryable data lake.

SIEM Integration

Provide SIEM platforms like Splunk, Sumo Logic, and Microsoft Sentinel direct access to normalized security data.

Threat Hunting

Enable security analysts to query normalized OCSF data for threat hunting and forensic investigation.

Compliance Data Retention

Retain security logs in a cost-optimized data lake for compliance audit requirements.

Security Analytics

Run advanced analytics and ML models against normalized security data for anomaly detection.

Multi-Cloud Security Data

Centralize security data from on-premises and other cloud providers alongside AWS security data.

Semantic Vocabularies

Amazon Security Lake Context

3 classes · 18 properties

JSON-LD

API Governance Rules

Amazon Security Lake API Rules

21 rules · 8 errors 10 warnings 3 info

SPECTRAL

Resources

PostmanWorkspace

PostmanWorkspace

ArazzoWorkflows

ArazzoWorkflows

GettingStarted

Documentation

APIReference

TermsOfService

PrivacyPolicy

GitHubOrganization

GitHubOrganization

StackOverflow

KnowledgeCenter

KnowledgeCenter

SpectralRules

JSONStructure

JSONStructure

JSONStructure

Sources

name: Amazon Security Lake
description: >-
  Amazon Security Lake is a service that automatically centralizes an organization's security data from cloud,
  on-premises, and custom sources into a purpose-built data lake stored in your own Amazon S3. It manages the data
  lifecycle to help you optimize storage and supports OCSF (Open Cybersecurity Schema Framework) for normalized security
  data analysis.
url: https://aws.amazon.com/security-lake/
baseURL: https://securitylake.amazonaws.com
kind: company
created: '2026-03-16'
modified: '2026-05-19'
tags:
  - AWS
  - Data Lake
  - Security
  - SIEM
  - Threat Detection
apis:
  - name: Amazon Security Lake API
    description: >-
      The Amazon Security Lake API provides programmatic access to create and manage data lakes, data sources,
      subscribers, and log sources for centralizing and analyzing security data across your organization using the OCSF
      (Open Cybersecurity Schema Framework).
    humanURL: https://docs.aws.amazon.com/security-lake/latest/APIReference/Welcome.html
    baseURL: https://securitylake.{region}.amazonaws.com
    tags:
      - Data Lake
      - Security
      - Threat Detection
      - OCSF
    properties:
      - type: Documentation
        url: https://docs.aws.amazon.com/security-lake/latest/APIReference/Welcome.html
      - type: OpenAPI
        url: openapi/amazon-security-lake-openapi.yml
      - type: JSONSchema
        url: json-schema/amazon-security-lake-data-lake-schema.json
      - type: JSONSchema
        url: json-schema/amazon-security-lake-log-source-schema.json
      - type: JSONSchema
        url: json-schema/amazon-security-lake-subscriber-schema.json
common:
  - type: PostmanWorkspace
    url: https://www.postman.com/kinlaneapi/amazon-security-lake/overview
  - type: ArazzoWorkflows
    url: arazzo/
    workflows:
      - url: arazzo/amazon-security-lake-decommission-data-lake-workflow.yml
        name: Amazon Security Lake Decommission Data Lake
        summary: Resolve a data lake, update its configuration, then delete its configuration object.
      - url: arazzo/amazon-security-lake-offboard-subscriber-workflow.yml
        name: Amazon Security Lake Offboard Subscriber
        summary: Confirm a subscriber exists, then delete it and verify it is removed from the list.
      - url: arazzo/amazon-security-lake-onboard-aws-log-source-workflow.yml
        name: Amazon Security Lake Onboard AWS Log Source
        summary: Add a natively supported AWS service as a log source and confirm it is collecting.
      - url: arazzo/amazon-security-lake-provision-data-lake-workflow.yml
        name: Amazon Security Lake Provision Data Lake
        summary: Create a Security Lake data lake, confirm it is listed, and inspect its collecting sources.
      - url: arazzo/amazon-security-lake-provision-subscriber-workflow.yml
        name: Amazon Security Lake Provision Subscriber
        summary: Create a subscriber, confirm its identity and status, and verify it is listed.
      - url: arazzo/amazon-security-lake-register-custom-source-workflow.yml
        name: Amazon Security Lake Register Custom Source
        summary: Register a third-party custom log source and confirm it appears in the source list.
      - url: arazzo/amazon-security-lake-rename-subscriber-workflow.yml
        name: Amazon Security Lake Rename Subscriber
        summary: Find a subscriber by name, confirm it, and update its name and description.
  - type: Portal
    url: https://aws.amazon.com/security-lake/
  - type: GettingStarted
    url: https://aws.amazon.com/security-lake/getting-started/
  - type: Documentation
    url: https://docs.aws.amazon.com/security-lake/
  - type: APIReference
    url: https://docs.aws.amazon.com/security-lake/latest/APIReference/
  - type: Console
    url: https://console.aws.amazon.com/securitylake/
  - type: SignUp
    url: https://portal.aws.amazon.com/billing/signup
  - type: Pricing
    url: https://aws.amazon.com/security-lake/pricing/
  - type: FAQ
    url: https://aws.amazon.com/security-lake/faqs/
  - type: Blog
    url: https://aws.amazon.com/blogs/security/tag/amazon-security-lake/
  - type: StatusPage
    url: https://health.aws.amazon.com/health/status
  - type: Support
    url: https://aws.amazon.com/premiumsupport/
  - type: TermsOfService
    url: https://aws.amazon.com/service-terms/
  - type: PrivacyPolicy
    url: https://aws.amazon.com/privacy/
  - type: Compliance
    url: https://aws.amazon.com/compliance/
  - type: GitHubOrganization
    url: https://github.com/aws
  - type: YouTube
    url: https://www.youtube.com/user/AmazonWebServices
  - type: StackOverflow
    url: https://stackoverflow.com/questions/tagged/amazon-security-lake
  - type: KnowledgeCenter
    url: https://repost.aws/knowledge-center
  - type: SpectralRules
    url: rules/amazon-security-lake-spectral-rules.yml
  - type: Vocabulary
    url: vocabulary/amazon-security-lake-vocabulary.yaml
  - type: Features
    data:
      - name: Automatic Data Centralization
        description: >-
          Automatically centralizes security data from AWS services, third-party tools, and custom sources into a single
          data lake.
      - name: OCSF Normalization
        description: >-
          Converts security data to the Open Cybersecurity Schema Framework (OCSF) for standardized analysis across
          tools.
      - name: Apache Parquet Format
        description: Stores all security data in Apache Parquet format optimized for analytical query performance.
      - name: Multi-Account Support
        description: Centralizes security data across an entire AWS Organization from all accounts and regions.
      - name: Lifecycle Management
        description: Automatically manages storage lifecycle with configurable retention and tiering policies.
      - name: Subscriber Access
        description: Grant third-party SIEMs and analytics tools direct query access to your security data lake.
      - name: Native AWS Integration
        description: Native connectors for CloudTrail, VPC Flow Logs, Route 53, Security Hub, and EKS audit logs.
      - name: Custom Log Sources
        description: Ingest custom and third-party security data sources in OCSF format.
  - type: UseCases
    data:
      - name: Security Data Centralization
        description: Aggregate all security data from across a multi-account AWS environment into one queryable data lake.
      - name: SIEM Integration
        description: >-
          Provide SIEM platforms like Splunk, Sumo Logic, and Microsoft Sentinel direct access to normalized security
          data.
      - name: Threat Hunting
        description: Enable security analysts to query normalized OCSF data for threat hunting and forensic investigation.
      - name: Compliance Data Retention
        description: Retain security logs in a cost-optimized data lake for compliance audit requirements.
      - name: Security Analytics
        description: Run advanced analytics and ML models against normalized security data for anomaly detection.
      - name: Multi-Cloud Security Data
        description: Centralize security data from on-premises and other cloud providers alongside AWS security data.
  - type: Integrations
    data:
      - name: AWS CloudTrail
        description: Native connector for management event and data event logs from CloudTrail.
      - name: Amazon VPC Flow Logs
        description: Ingest VPC network flow logs for network traffic analysis.
      - name: Amazon Route 53
        description: Collect DNS query logs for domain analysis and threat detection.
      - name: AWS Security Hub
        description: Aggregate Security Hub findings into the security data lake.
      - name: Amazon EKS
        description: Ingest Kubernetes audit logs from Amazon EKS clusters.
      - name: Amazon S3
        description: All security data is stored in S3 buckets within your own AWS account.
      - name: AWS Lake Formation
        description: Control fine-grained subscriber access using AWS Lake Formation permissions.
      - name: Splunk
        description: SIEM subscriber integration for Splunk to query Security Lake data directly.
      - name: Microsoft Sentinel
        description: Connect Microsoft Sentinel as a subscriber to consume OCSF-normalized data.
      - name: CrowdStrike
        description: Ingest CrowdStrike endpoint detection findings as a custom log source.
  - type: JSONLD
    url: json-ld/amazon-security-lake-context.jsonld
  - type: JSONStructure
    url: json-structure/amazon-security-lake-data-lake-structure.json
  - type: JSONStructure
    url: json-structure/amazon-security-lake-log-source-structure.json
  - type: JSONStructure
    url: json-structure/amazon-security-lake-subscriber-structure.json
  - type: Example
    url: examples/amazon-security-lake-data-lake-example.json
  - type: Example
    url: examples/amazon-security-lake-log-source-example.json
  - type: Example
    url: examples/amazon-security-lake-subscriber-example.json
  - type: Integrations
    url: https://aws.amazon.com/partners/
integrations:
  - name: Partner Programs
  - name: Resources
  - name: Success Stories
  - name: Work with an AWS Partner
  - name: AWS Marketplace
  - name: AWS Partner Central
  - name: Partner Paths
  - name: co-sell with AWS
maintainers:
  - FN: Kin Lane
    email: [email protected]