May 31st, 2023
<aside> 🎓 Level: Intermediate
</aside>
<aside> ⏱️ 7 Minutes
</aside>
Isaac Zapata
<aside> 🔗 LinkedIn
</aside>
On May 30th 2023, the general availability of AWS’s Amazon Security Lake was announced. Security Lake centralizes security data from AWS, SaaS providers, on-premises, and cloud sources into an AWS-Native data lake. The managed service normalizes and combines security data according to the Open Cybersecurity Schema Framework (OCSF), a collaborative, open-source effort by AWS and leading cybersecurity partners. While Amazon Security Lake transforms AWS source data natively (See Figure 1), custom sources can be created to collect logs from 3rd party custom sources,, provided they meet appropriate requirements (See Reference 9).
Figure 1: How Security Lake Works - Image Credits: AWS
However, some of you may be thinking…. “Another data lake for audit events? So soon?” If you are keeping score, you may recall that AWS CloudTrail Lake was announced as generally available on January 5th 2022 as part of the AWS CloudTrail service. It’s purpose is to enable the aggregation, storage and query of events recorded by CloudTrail for auditing and security investigation. It also provides mechanisms, i.e. ‘channels’, to integrate with event sources originating outside of AWS.
<aside> 🤔 The Dilemma: Amazon Security Lake vs. AWS CloudTrail Lake
</aside>
On the surface, the existence of both ‘Lakes’ causes confusion for what an organization should leverage when designing a centralized log aggregation architecture on AWS. Should teams use one or the other? Is there a world where both are used complementary with each other?
Table 1 Outlines capabilities and qualities that I identify as a ‘starter pack’ for assessing Amazon Security Lake and AWS CloudTrail Lake’s use in a target AWS environment.
| Amazon Security Lake | AWS CloudTrail Lake |
|---|---|
| ✅ Backed by Amazon S3 Buckets | ⚠ Leverages Event Data Store Resources |
| ✅ AWS CloudTrail Management and Data Events | ✅ AWS CloudTrail Management and Data Events |
| ✅ Amazon Route 53 Resolver Query Logs | ❌ Amazon Route 53 Resolver Query Logs |
| ✅ AWS Security Hub Findings | ❌ AWS Security Hub Findings |
| ✅ Amazon VPC Flow Logs | ❌ Amazon VPC Flow Logs |
| ✅ AWS Config (via AWS Security Hub) | ✅ AWS Config |
| ✅ Native Transformation to OCSF (AWS Native Sources) | ❌ Unique Event Schemas for Event Categories (i.e. AWS CloudTrail, AWS Config) |
| ⚠ OCSF Standard Introduced in 2022, long term success not yet known | ❌ Native Schemas not standard across cybersecurity products |
| ⚠ Not Supported in GovCloud | ✅ Supported in GovCloud |
| ⚠10 Regions supported at this time | ✅ Supported where AWS CloudTrail is Supported |
| ✅ Delegated Administrator Account Support | ✅ Delegated Administrator Account Support |
| ✅ Custom Sources | ✅ Event Data Stores for events outside of AWS |
| ✅ Subscriber Data Access and Query Access to source data for 3rd Party Access |
Table 1: High Level Quality Check - Amazon Security Lake vs AWS CloudTrail Lake
Overall, capability wise, Amazon Security Lake is more feature rich with better long term potential, assuming OCSF is deemed a successful program in the future. There is a larger base of AWS-Native log support and with out-of-the-box normalization of data, data transformation responsibilities are heavily offloaded from organizations.
Key areas of caution for Amazon Security Lake: