Considerations when enabling Security Lake

Before enabling Security Lake, consider the following:

Security Lake provides cross-region management features, which means you can create your data lake and configure log collection across AWS Regions. To enable Security Lake in all supported Regions, you can choose any supported Regional endpoint. You can also add rollup Regions to aggregate data from multiple regions to a single Region.
We recommend activating Security Lake in all of the supported AWS Regions. If you do this, Security Lake can collect data that's connected to unauthorized or unusual activity even in Regions that you aren't actively using. If Security Lake is not activated in all supported Regions, its ability to collect data from other services that you use in multiple Regions is reduced.
When you enable Security Lake for the first time in any Region, it creates a service-linked role for your account called AWSServiceRoleForSecurityLake. This role includes the permissions to call other AWS services on your behalf and operate the security data lake. For more information about how service-linked roles work, see Using service-linked roles in the IAM User Guide. If you enable Security Lake as the delegated Security Lake administrator, Security Lake creates the service-linked role in each member account in the organization.
Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets are created, S3 Object Lock is disabled by default. Enabling Object Lock on a bucket interrupts the delivery of normalized log data to the data lake.
If you are re-enabling Security Lake in a region, you must delete the region's corresponding AWS Glue database from your previous use of Security Lake.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setting up your AWS account

Using the console