AWS Security ChangesHomeSearch

AWS security-lake documentation change

Service: security-lake · 2025-04-28 · Documentation low

File: security-lake/latest/userguide/enable-securitylake-considerations.md

Summary

Added documentation for a new service-linked role (AWSServiceRoleForSecurityLakeResourceManagement) used for monitoring and performance improvements, including Lake Formation access

Security assessment

Introduces a new service-linked role with permissions for resource management and Lake Formation access, which improves operational security but does not address a specific disclosed vulnerability.

Diff

diff --git a/security-lake/latest/userguide/enable-securitylake-considerations.md b/security-lake/latest/userguide/enable-securitylake-considerations.md
index 156ca57db..647cf0a74 100644
--- a//security-lake/latest/userguide/enable-securitylake-considerations.md
+++ b//security-lake/latest/userguide/enable-securitylake-considerations.md
@@ -13 +13,9 @@
-  * When you enable Security Lake for the first time in any Region, it creates a [service-linked role](./using-service-linked-roles.html) for your account called `AWSServiceRoleForSecurityLake`. This role includes the permissions to call other AWS services on your behalf and operate the security data lake. For more information about how service-linked roles work, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the _IAM User Guide_. If you enable Security Lake as the [delegated Security Lake administrator](./multi-account-management.html#delegated-admin-important), Security Lake creates the [service-linked role](./using-service-linked-roles.html) in each member account in the organization.
+  * When you enable Security Lake for the first time in any Region, it creates the following service-linked roles for your account:
+
+    * [AWSServiceRoleForSecurityLake](https://docs.aws.amazon.com/security-lake/latest/userguide/slr-permissions.html): This role includes the permissions to call other AWS services on your behalf and operate the security data lake. If you enable Security Lake as the [delegated Security Lake administrator](./multi-account-management.html#delegated-admin-important), Security Lake creates the [service-linked role](./using-service-linked-roles.html) in each member account in the organization.
+
+    * [AWSServiceRoleForSecurityLakeResourceManagement](https://docs.aws.amazon.com/security-lake/latest/userguide/slr-permissions.html): Security Lake uses this role to perform ongoing monitoring and performance improvements, which can potentially reduce latency and costs. This service-linked role trusts the `resource-management.securitylake.amazonaws.com` service to assume the role. Enabling this service role will also grant it access to Lake Formation. 
+
+For information about how this impacts the existing accounts that enabled Security Lake before April 17, 2025, see [Update for existing accounts](./multi-account-management.html#security-lake-existing-account-resource-management-slr).
+
+For information about how service-linked roles work, see [Using service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html) in the _IAM User Guide_.