What is Amazon Security Lake?
Amazon Security Lake is a fully managed security data lake that automatically collects, normalizes, and stores log and event data from AWS services, SaaS providers, on-premises systems, and other sources in your own AWS account. The service uses the Open Cybersecurity Schema Framework (OCSF) to bring data from different sources into a unified, open schema.
Security Lake is built on Amazon S3 and uses AWS Lake Formation for access control and AWS Glue for the data catalog and ETL processing. Security teams retain ownership of their data and can access it with common analytics tools without building custom data pipelines.
Core Features
- OCSF Normalization: Automatic conversion of natively supported AWS security data into the open OCSF schema and Parquet format
- Native AWS Integration: Automatic collection of CloudTrail, EKS audit log, Route 53 resolver, Security Hub, VPC Flow Log, and WAFv2 data
- Third-Party and Custom Sources: Integration of additional security solutions and custom data sources
- Subscriber Model: Controlled data access for analytics tools and SIEM systems via notification or query
- Multi-Account and Multi-Region: Centralization across AWS Organizations, including rollup regions for data residency requirements
- Lifecycle Management: Configurable retention and replication settings plus automated storage tiering
Typical Use Cases
Security Operations Center (SOC): Security teams analyze all security data in one central location. OCSF normalization reduces the effort of manually correlating different log formats.
Threat Hunting: Security analysts search historical security data using Amazon Athena, Amazon Redshift, or other query tools. The unified data structure accelerates investigations.
Compliance Reporting: Organizations with regulatory requirements use Security Lake as a central source for audit trails and compliance evidence across multiple AWS accounts and regions.
Benefits
- Unified data format reduces silos between security tools
- Automatic collection of native AWS sources without custom pipeline development
- Cost-effective storage on S3 with configurable lifecycle management
- Open OCSF format reduces dependency on individual analytics tool vendors
Integration with innFactory
As an AWS Reseller, innFactory supports you with Amazon Security Lake: architecture design for multi-account and multi-region setups, integration of third-party and custom sources, analytics pipeline development, and compliance reporting.
Typical Use Cases
Frequently Asked Questions
What is Amazon Security Lake?
Amazon Security Lake is a fully managed service that automatically centralizes security data from AWS environments, SaaS providers, on-premises systems, and other cloud sources into a purpose-built, S3-backed data lake in your own AWS account.
What is the OCSF format?
The Open Cybersecurity Schema Framework (OCSF) is an open standard for normalizing security data. Security Lake automatically converts data from natively supported AWS sources into OCSF and Apache Parquet for unified analysis.
Which data sources are natively supported?
Security Lake natively collects data from AWS CloudTrail (management and data events), Amazon EKS audit logs, Route 53 resolver query logs, AWS Security Hub CSPM findings, VPC Flow Logs, and AWS WAFv2 logs. Custom and third-party sources can also be integrated.
What does Amazon Security Lake cost?
Billing is based on ingested and normalized data volume per GB; exact prices vary by source and region. Additional costs apply for underlying AWS services such as S3, Glue, or Lambda. Current pricing is available on the official pricing page.
How do analytics tools access the data?
A subscriber model gives SIEM and analytics tools controlled access to the data, either through notifications about new objects or by querying the data, for example with Amazon Athena or Amazon Redshift.
Note: All product information on this page has been compiled with care, but is provided without guarantee and may be outdated or incomplete. Cloud services evolve rapidly — features, pricing, SLAs, and availability change frequently. Authoritative and up-to-date information can only be found on the official product page of AWS (official documentation). This page does not represent an offer by AWS.