AWS security-lake medium security documentation change
Summary
Restructured retention settings documentation with warnings about S3 Object Lock incompatibility and guidance to use Security Lake tools for retention management
Security assessment
Added explicit warning that modifying S3 lifecycle settings directly can cause data access issues and emphasized S3 Object Lock incompatibility which could disrupt data delivery. These changes address potential misconfigurations that could lead to data loss or service disruption.
Diff
diff --git a/security-lake/latest/userguide/lifecycle-management.md b/security-lake/latest/userguide/lifecycle-management.md index 14d9feab3..d3b486ca5 100644 --- a/security-lake/latest/userguide/lifecycle-management.md +++ b/security-lake/latest/userguide/lifecycle-management.md @@ -13 +13 @@ You can customize Security Lake to store data in your preferred AWS Regions for -To manage your data so that it is stored cost effectively, you can configure retention settings for the data. Because Security Lake stores your data as objects in Amazon Simple Storage Service (Amazon S3) buckets, the retention settings correspond to an Amazon S3 Lifecycle configuration. By configuring these settings, you can specify your preferred Amazon S3 storage class and the time period for S3 objects to stay in that storage class before they transition to a different storage class or expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the _Amazon Simple Storage Service User Guide_. +To manage your data so that it is stored cost effectively, you can configure retention for the data using the lifecycle settings in Security Lake. These retention settings help you specify your preferred [Amazon S3 storage class](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html) and the time period for the Amazon S3 objects to stay in that storage class before they transition to a different storage class to expire. @@ -15 +15 @@ To manage your data so that it is stored cost effectively, you can configure ret -In Security Lake, you specify retention settings at the Region level. For example, you might choose to transition all S3 objects in a specific AWS Region to the **S3 Standard-IA** storage class 30 days after they're written to the data lake. The default Amazon S3 storage class is **S3 Standard**. +###### Warning @@ -17 +17 @@ In Security Lake, you specify retention settings at the Region level. For exampl -###### Important +We recommend managing the retention settings through Security Lake console, API, or CLI. This is because modifying Amazon S3 Lifecycle settings directly in the Amazon S3 service can potentially delete metadata and prevent you from accessing your data. @@ -19 +19 @@ In Security Lake, you specify retention settings at the Region level. For exampl -Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets are created, S3 Object Lock is disabled by default. Enabling S3 Object Lock with default retention mode interrupts the delivery of normalized log data to the data lake. +### Important considerations for retention settings in Security Lake @@ -21 +21,7 @@ Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets -### Configuring retention settings when enabling Security Lake +Review the following considerations when managing data retention in Security Lake: + + * Security Lake doesn't support [Amazon S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html). When the data lake buckets are created, S3 Object Lock is disabled by default. Enabling S3 Object Lock with default retention mode interrupts the delivery of normalized log data to the data lake. + + * The default Amazon S3 storage class is **S3 Standard**. If you don't configure retention settings, Security Lake uses the default settings for an Amazon S3 Lifecycle configuration — store the data indefinitely using the **S3 Standard** storage class. + + * In Security Lake, you specify retention settings at the Region level. For example, you might configure all S3 objects in a specific AWS Region to transition to the **S3 Standard-IA** storage class 30 days after they're written to the data lake. @@ -23 +29 @@ Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets -Follow these instructions to configure retention settings for one or more Regions when you're onboarding to Security Lake. If you don't configure retention settings, Security Lake uses the default settings for an Amazon S3 Lifecycle configuration—store the data indefinitely using the **S3 Standard** storage class. + * While retention settings are applied only to the data stored in the S3 bucket, Apache Iceberg metadata is excluded from the retention policy. @@ -25 +30,0 @@ Follow these instructions to configure retention settings for one or more Region -###### Important @@ -27 +32,5 @@ Follow these instructions to configure retention settings for one or more Region -Retention settings are applied only to the data stored in the S3 bucket. Apache Iceberg metadata is excluded from the retention policy. + + +### Configuring retention settings when enabling Security Lake + +Follow these instructions to configure retention settings for one or more Regions when you're onboarding to Security Lake.