AWS Security ChangesHomeSearch

AWS security-lake documentation change

Service: security-lake · 2025-04-01 · Documentation low

File: security-lake/latest/userguide/aws-integrations.md

Summary

Restructured integration documentation by replacing detailed service-specific sections with a consolidated table format. Added new OpenSearch Service integrations and simplified subscriber integration methods. Removed detailed workflow instructions and redirected to dedicated pages.

Security assessment

The changes focus on organizational restructuring and expanding integration options (including OpenSearch-related services) rather than addressing vulnerabilities. However, the documentation describes security-relevant integrations with services like Security Hub and Detective, which are security features.

Diff

diff --git a/security-lake/latest/userguide/aws-integrations.md b/security-lake/latest/userguide/aws-integrations.md
index 4fcd3c7b2..f9d703b9e 100644
--- a/security-lake/latest/userguide/aws-integrations.md
+++ b/security-lake/latest/userguide/aws-integrations.md
@@ -5,2 +4,0 @@
-AWS AppFabric integrationDetective integrationAmazon QuickSight integrationSageMaker AI integrationAmazon Bedrock integrationSecurity Hub integration
-
@@ -22,73 +20 @@ Source integrations have the following properties:
-Subscriber integrations have the following properties can read source data from Security Lake at an HTTPS endpoint or Amazon Simple Queue Service (Amazon SQS) queue, or by directly querying source data from AWS Lake Formation
-
-The following section explains which AWS services Security Lake integrates with and how each integration works.
-
-## Integration with AWS AppFabric
-
-**Integration type:** Source
-
-[AWS AppFabric](https://docs.aws.amazon.com/appfabric/latest/adminguide/what-is-appfabric.html) is a no-code service that connects software as a service (SaaS) applications across your organization, so IT and security teams can manage and secure applications using a standard schema and central repository.
-
-### How Security Lake receives AppFabric findings
-
-You can send AppFabric audit log data to Security Lake by selecting Amazon Kinesis Data Firehose as a destination and configuring Kinesis Data Firehose to deliver data in OCSF schema and Apache Parquet format to Security Lake.
-
-### Prerequisites
-
-Before you can send AppFabric audit logs to Security Lake, you must output your OCSF normalized audit logs to a Kinesis Data Firehose stream. You can then configure Kinesis Data Firehose to send the output to your Security Lake Amazon S3 bucket. For more information, see [Choose Amazon S3 for your destination ](https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html#create-destination-s3) in the _Amazon Kinesis Developer Guide_.
-
-### Send your AppFabric findings to Security Lake
-
-To send AppFabric audit logs to Security Lake after completing the preceding prerequisite, you must enable both services and add AppFabric as a custom source in Security Lake. For instructions on adding a custom source, see [Collecting data from custom sources in Security Lake](./custom-sources.html).
-
-### Stop receiving AppFabric logs in Security Lake
-
-To stop receiving AppFabric audit logs, you can use the Security Lake console, Security Lake API, or AWS CLI to delete AppFabric as a custom source. For instructions, see [Deleting a custom source from Security Lake](./delete-custom-source.html).
-
-## Integration with Amazon Detective
-
-**Integration type:** Subscriber
-
-[Amazon Detective](https://docs.aws.amazon.com/detective/latest/adminguide/what-is-detective.html) helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources. It then uses machine learning, statistical analysis, and graph theory to generate visualizations that help you to conduct faster and more efficient security investigations. The Detective prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and extent of possible security issues.
-
-When you integrate Security Lake and Detective, you can query the raw log data stored by Security Lake from Detective. For more information, see [Integration with Amazon Security Lake](https://docs.aws.amazon.com/detective/latest/userguide/securitylake-integration.html).
-
-## Integration with Amazon QuickSight
-
-**Integration type:** Subscriber
-
-[Amazon QuickSight](https://docs.aws.amazon.com/quicksight/latest/user/welcome.html) is a cloud-scale business intelligence (BI) service that you can use to deliver easy-to-understand insights to the people who you work with, wherever they are. Amazon QuickSight connects to your data in the cloud and combines data from many different sources. Amazon QuickSight gives decision-makers the opportunity to explore and interpret information in an interactive visual environment. They have secure access to dashboards from any device on your network and from mobile devices.
-
-### Amazon QuickSight dashboard
-
-To visualize your Amazon Security Lake data in Amazon QuickSight, to create the required AWS objects and deploy basic data sources, data sets, analysis, dashboards, and user groups to Amazon QuickSight with respect to Security Lake. For the detailed instructions, see [Integration with Amazon QuickSight](https://aws.amazon.com/solutions/implementations/security-insights-on-aws/).
-
-## Integration with Amazon SageMaker AI
-
-**Integration type:** Subscriber
-
-[Amazon SageMaker AI](https://docs.aws.amazon.com/sagemaker/latest/dg/whatis.html) is a fully managed machine learning (ML) service. With Security Lake, data scientists and developers can quickly and confidently build, train, and deploy ML models into a production-ready hosted environment. It provides a UI experience for running ML workflows that makes SageMaker AI ML tools available across multiple integrated development environments (IDEs).
-
-### SageMaker AI insights
-
-You can generate machine learning insights for Security Lake using SageMaker AI Studio. SageMaker AI Studio is a web integrated development environment (IDE) for machine learning that provides tools for data scientists to prepare, build, train, and deploy machine learning models. With this solution, you can quickly deploy a base set of Python notebooks focusing on AWS Security Hub findings in Security Lake, which can also be expanded to incorporate other AWS sources or custom data sources in Security Lake. For more details, see [Generate machine learning insights for Amazon Security Lake data using Amazon SageMaker AI](https://aws.amazon.com/blogs/security/generate-machine-learning-insights-for-amazon-security-lake-data-using-amazon-sagemaker/).
-
-## Integration with Amazon Bedrock
-
-[Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html) is a fully managed service that makes high-performing foundation models (FMs) from leading AI startups and Amazon available for your use through a unified API. With Amazon Bedrock's serverless experience, you can get started quickly, privately customize foundation models with your own data, and easily and securely integrate and deploy them into your applications using AWS tools without having to manage any infrastructure.
-
-### Generative AI
-
-You can use the generative AI capabilities of Amazon Bedrock and natural language input in SageMaker AI Studio to analyze data in Security Lake and work towards reducing your organization’s risk and increase your security posture. You can reduce the amount of time needed to conduct an investigation by automatically identifying the appropriate data sources, generating and invoking SQL queries, and visualizing data from your investigation. For more details see [Generate AI powered insights for Amazon Security Lake using Amazon SageMaker AI Studio and Amazon Bedrock](https://aws.amazon.com/blogs/security/generate-ai-powered-insights-for-amazon-security-lake-using-amazon-sagemaker-studio-and-amazon-bedrock/).
-
-## Integration with AWS Security Hub
-
-**Integration type:** Source
-
-[AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you to analyze your security trends and identify the highest priority security issues.
-
-When you enable Security Hub and add Security Hub findings as a source in Security Lake, Security Hub starts sending new findings and updates to existing findings to Security Lake.
-
-### How Security Lake receives Security Hub findings
-
-In Security Hub, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by third-party partners. Security Hub also generates its own findings by running automated and continuous security checks against rules. The rules are represented by security controls.
+Subscriber integrations can access Security Lake data in one of the following ways:
@@ -96 +22 @@ In Security Hub, security issues are tracked as findings. Some findings come fro
-All findings in Security Hub use a standard JSON format called the [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html).
+  * Read source data from Security Lake through an HTTPS endpoint
@@ -98 +24 @@ All findings in Security Hub use a standard JSON format called the [AWS Security
-Security Lake receives Security Hub findings and transforms them into the [Open Cybersecurity Schema Framework (OCSF) in Security Lake](./open-cybersecurity-schema-framework.html).
+  * Read source data from Security Lake through an Amazon Simple Queue Service (Amazon SQS)
@@ -100 +26 @@ Security Lake receives Security Hub findings and transforms them into the [Open
-### Send your Security Hub findings to Security Lake
+  * By directly querying source data using AWS Lake Formation
@@ -102 +27,0 @@ Security Lake receives Security Hub findings and transforms them into the [Open
-To send Security Hub findings to Security Lake, you must enable both services and add Security Hub findings as a source in Security Lake. For instructions on adding an AWS source, see [Adding an AWS service as a source](./internal-sources.html#add-internal-sources).
@@ -104 +28,0 @@ To send Security Hub findings to Security Lake, you must enable both services an
-If you want Security Hub to generate [control findings ](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-findings-create-update.html) and send them to Security Lake, you must enable the relevant security standards and turn on resource recording on a Regional basis in AWS Config. For more information, see [Enabling and configuring AWS Config](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html) in the _AWS Security Hub User Guide_.
@@ -106 +29,0 @@ If you want Security Hub to generate [control findings ](https://docs.aws.amazon
-### Stop receiving Security Hub findings in Security Lake
@@ -108 +31 @@ If you want Security Hub to generate [control findings ](https://docs.aws.amazon
-To stop receiving Security Hub findings, you can use the Security Hub console, Security Hub API, or AWS CLI.
+The following table provides a list of AWS service integrations that Security Lake supports.
@@ -110 +33,11 @@ To stop receiving Security Hub findings, you can use the Security Hub console, S
-See [Disabling and enabling the flow of findings from an integration (console)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-console) or [Disabling the flow of findings from an integration (Security Hub API, AWS CLI)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-disable-api) in the _AWS Security Hub User Guide_.
+AWS service | Integration type | Description | How integration works  
+---|---|---|---  
+[Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html) |  Subscriber |  Generate AI-powered insights to analyze Security Lake data. |  [Amazon Bedrock integration](./bedrock-integration.html)  
+[Amazon Detective](https://docs.aws.amazon.com/detective/latest/userguide/what-is-detective.html) |  Subscriber |  Analyze, investigate, and quickly identify the root cause of security findings or suspicious activities by querying Security Lake. |  [Detective integration](./detective-integration.html)  
+[Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html) |  Subscriber |  Generate security insights from Security Lake data by using OpenSearch Service ingestion. |  [OpenSearch Service integration](./opensearch-integration.html)  
+[Amazon OpenSearch Service ingestion pipeline](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ingestion.html) |  Subscriber, Source |  Stream logs, metrics, and trace data to OpenSearch Service and Security Lake. |  [OpenSearch Ingestion pipeline integration](./opensearch-ingestion-pipeline-integration.html)  
+[Amazon OpenSearch Service zero-ETL](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/direct-query.html) |  Subscriber (Query) |  Query data in Security Lake with zero-ETL. |  [Amazon OpenSearch Service zero-ETL direct query integration](./opensearch-datasource-integration.html)  
+[Amazon QuickSight](https://docs.aws.amazon.com/quicksight/latest/user/welcome.html) |  Subscriber |  Visualize, explore, and interpret logs in Security Lake with QuickSight. |  [Amazon QuickSight integration](./quicksight-integration.html)  
+[Amazon SageMaker AI](https://docs.aws.amazon.com/sagemaker/latest/dg/whatis.html) |  Subscriber |  Generate AI-powered insights to analyze Security Lake data. |  [SageMaker AI integration](./sagemaker-integration.html)  
+[AWS AppFabric](https://docs.aws.amazon.com/appfabric/latest/adminguide/what-is-appfabric.html) |  Source |  Ingests and normalize software as a service (SaaS) application logs into Security Lake standard format. |  [AWS AppFabric integration](./appfabric-integration.html)  
+[AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) |  Source |  Centralize and store security findings from Security Hub in Security Lake standard format. |  [Security Hub integration](./securityhub-integration.html)  
@@ -120 +53 @@ Integrations
-OpenSearch Service integration
+Amazon Bedrock integration