Amazon Security Lake (securitylake)

2023-06-01

5 new actions, 2 new resources | 20 updated actions | 8 removed actions

Additions

    Actions
  • CreateSubscriberNotification
    • Description:  Grants permission to create a webhook invocation to notify a client when there is new data in the data lake
    • Access:  Write
    • Resources: 

      Name: subscriber

      Required: Yes
    • Dependents: 

      events:CreateApiDestination

      events:CreateConnection

      events:DescribeRule

      events:ListApiDestinations

      events:ListConnections

      events:PutRule

      events:PutTargets

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PassRole

      s3:GetBucketNotification

      s3:PutBucketNotification

      sqs:CreateQueue

      sqs:DeleteQueue

      sqs:GetQueueAttributes

      sqs:GetQueueUrl

      sqs:SetQueueAttributes
  • DeleteDataLake
    • Description:  Grants permission to delete security data lake
    • Access:  Write
    • Resources: 

      Name: data-lake

      Required: Yes
    • Dependents: 

      organizations:DescribeOrganization

      organizations:ListDelegatedAdministrators

      organizations:ListDelegatedServicesForAccount
  • DeregisterDataLakeDelegatedAdministrator
    • Description:  Grants permission to remove the Delegated Administrator account and disable Amazon Security Lake as a service for this organization
    • Access:  Write
    • Dependents: 

      organizations:DeregisterDelegatedAdministrator

      organizations:DescribeOrganization

      organizations:ListDelegatedServicesForAccount
  • UpdateDataLake
    • Description:  Grants permission to update a security data lake
    • Access:  Write
    • Resources: 

      Name: data-lake

      Required: Yes
    • Dependents: 

      events:PutRule

      events:PutTargets

      iam:CreateServiceLinkedRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PutRolePolicy

      kms:CreateGrant

      kms:DescribeKey

      lakeformation:GetDataLakeSettings

      lakeformation:PutDataLakeSettings

      lambda:CreateEventSourceMapping

      lambda:CreateFunction

      organizations:DescribeOrganization

      organizations:ListDelegatedServicesForAccount

      s3:CreateBucket

      s3:ListBucket

      s3:PutBucketPolicy

      s3:PutBucketPublicAccessBlock

      s3:PutBucketVersioning

      sqs:CreateQueue

      sqs:GetQueueAttributes

      sqs:SetQueueAttributes
  • UpdateDataLakeExceptionSubscription
    • Description:  Grants permission to update subscriptions to the SNS topics for exception notifications
    • Access:  Write
    Resources
  • data-lake
    • Arn:  arn:${Partition}:securitylake:${Region}:${Account}:data-lake/default
  • subscriber
    • Arn:  arn:${Partition}:securitylake:${Region}:${Account}:subscriber/${SubscriberId}

Updates

    Actions
  • GetDataLakeOrganizationConfiguration
      Description
    • Old: Grants permission to get information on the Security Data Lake
      New: Grants permission to get an organization’s configuration setting for automatically enabling Amazon Security Lake access for new organization accounts
      Resources

    • New_value: [{'name': 'data-lake', 'is_required': True}]

      Old_value: []

      Dependents

    • New_value: ['organizations:DescribeOrganization']

      Old_value: []

  • CreateDataLakeOrganizationConfiguration
      Description
    • Old: Grants permission to designate the Amazon Security Lake administrator account for the organization
      New: Grants permission to automatically enable Amazon Security Lake for new member accounts in your organization
      Resources

    • New_value: [{'name': 'data-lake', 'is_required': True}]

      Old_value: []

      Dependents

    • New_value: []

      Old_value: ['iam:CreateServiceLinkedRole', 'organizations:DescribeOrganization', 'organizations:EnableAWSServiceAccess', 'organizations:ListDelegatedAdministrators', 'organizations:ListDelegatedServicesForAccount', 'organizations:RegisterDelegatedAdministrator']

  • GetDataLakeExceptionSubscription
      Description
    • Old: Grants permission to remove a webhook invocation to notify a client when there is new data in the Data Lake
      New: Grants permission to query the protocol and endpoint that were provided when subscribing to SNS topics for exception notifications
      Access
    • Write  ⟶  Read
      Dependents

    • New_value: []

      Old_value: ['events:DeleteApiDestination', 'events:DeleteConnection', 'events:DeleteRule', 'events:DescribeRule', 'events:ListApiDestinations', 'events:ListTargetsByRule', 'events:RemoveTargets', 'iam:DeleteRole', 'iam:DeleteRolePolicy', 'iam:GetRole', 'iam:ListRolePolicies', 'lakeformation:RevokePermissions', 'sqs:DeleteQueue', 'sqs:GetQueueUrl']

  • GetDataLakeSources
      Description
    • Old: Grants permission to get an organization’s configuration setting for the automatic enabling of Amazon Security Lake access for new organization accounts
      New: Grants permission to get a static snapshot of the security data lake in the current region. The snapshot includes enabled accounts and log sources
      Resources

    • New_value: [{'name': 'data-lake', 'is_required': True}]

      Old_value: []

      Dependents

    • New_value: []

      Old_value: ['organizations:DescribeOrganization']

  • ListDataLakes
      Description
    • Old: Grants permission to get a static snapshot of the Security Data Lake in the current region, including enabled accounts and log sources
      New: Grants permission to list information about the security data lakes
      Access
    • Read  ⟶  List
  • DeleteDataLakeOrganizationConfiguration
      Description
    • Old: Grants permission to remove from the existing configuration the automatic enabling of Amazon Security Lake access for new organization accounts
      New: Grants permission to remove the automatic enablement of Amazon Security Lake access for new organization accounts
      Resources

    • New_value: [{'name': 'data-lake', 'is_required': True}]

      Old_value: []

  • DeleteSubscriberNotification
      Description
    • Old: Grants permission to unsubscribe from SNS topics for exception notifications. Also, removes the SNS exception notifications topic
      New: Grants permission to remove a webhook invocation to notify a client when there is new data in the data lake
      Resources

    • New_value: [{'name': 'subscriber', 'is_required': True}]

      Old_value: []

      Dependents

    • New_value: ['events:DeleteApiDestination', 'events:DeleteConnection', 'events:DeleteRule', 'events:DescribeRule', 'events:ListApiDestinations', 'events:ListTargetsByRule', 'events:RemoveTargets', 'iam:DeleteRole', 'iam:DeleteRolePolicy', 'iam:GetRole', 'iam:ListRolePolicies', 'lakeformation:RevokePermissions', 'sqs:DeleteQueue', 'sqs:GetQueueUrl']

      Old_value: []

  • RegisterDataLakeDelegatedAdministrator
      Description
    • Old: Grants permission to get the list of all non-retry-able failures
      New: Grants permission to designate an account as the Amazon Security Lake administrator account for the organization
      Access
    • List  ⟶  Write
      Dependents

    • New_value: ['iam:CreateServiceLinkedRole', 'organizations:DescribeOrganization', 'organizations:EnableAWSServiceAccess', 'organizations:ListDelegatedAdministrators', 'organizations:ListDelegatedServicesForAccount', 'organizations:RegisterDelegatedAdministrator']

      Old_value: []

  • ListDataLakeExceptions
      Description
    • Old: Grants permission to query the protocol and endpoint that were supplied when subscribing to the SNS topics for exception notifications
      New: Grants permission to get the list of all non-retryable failures
      Access
    • Read  ⟶  List
  • DeleteDataLakeExceptionSubscription
      Description
    • Old: Grants permission to delete all Security Data Lakes
      New: Grants permission to unsubscribe from SNS topics for exception notifications. Removes exception notifications for the SNS topic
      Dependents

    • New_value: []

      Old_value: ['organizations:DescribeOrganization', 'organizations:ListDelegatedAdministrators', 'organizations:ListDelegatedServicesForAccount']

  • CreateDataLakeExceptionSubscription
      Description
    • Old: Grants permission to add to the configuration for automatically enabling Amazon Security Lake access for new organization accounts
      New: Grants permission to get instant notifications about exceptions. Subscribes to the SNS topics for exception notifications
  • CreateDataLake
      Description
    • Old: Grants permission to create a new Security Data Lake
      New: Grants permission to create a new security data lake
      Resources

    • New_value: [{'name': 'data-lake', 'is_required': True}]

      Old_value: []

      Dependents
    • ['events:PutRule', 'events:PutTargets', 'iam:CreateServiceLinkedRole', 'iam:DeleteRolePolicy', 'iam:GetRole', 'iam:PassRole', 'iam:PutRolePolicy', 'kms:CreateGrant', 'kms:DescribeKey', 'lakeformation:GetDataLakeSettings', 'lakeformation:PutDataLakeSettings', 'lambda:CreateEventSourceMapping', 'lambda:CreateFunction', 'organizations:DescribeOrganization', 'organizations:ListDelegatedServicesForAccount', 's3:CreateBucket', 's3:ListBucket', 's3:PutBucketPolicy', 's3:PutBucketPublicAccessBlock', 's3:PutBucketVersioning', 'sqs:CreateQueue', 'sqs:GetQueueAttributes', 'sqs:SetQueueAttributes']  ⟶  ['events:PutRule', 'events:PutTargets', 'iam:CreateServiceLinkedRole', 'iam:DeleteRolePolicy', 'iam:GetRole', 'iam:PassRole', 'iam:PutRolePolicy', 'kms:CreateGrant', 'kms:DescribeKey', 'lakeformation:GetDataLakeSettings', 'lakeformation:PutDataLakeSettings', 'lambda:CreateEventSourceMapping', 'lambda:CreateFunction', 'organizations:DescribeOrganization', 'organizations:ListAccounts', 'organizations:ListDelegatedServicesForAccount', 's3:CreateBucket', 's3:ListBucket', 's3:PutBucketPolicy', 's3:PutBucketPublicAccessBlock', 's3:PutBucketVersioning', 'sqs:CreateQueue', 'sqs:GetQueueAttributes', 'sqs:SetQueueAttributes']
  • UpdateSubscriberNotification
      Description
    • Old: Grants permission to control the time-to-live (TTL) for the exception message to remain in service cache
      New: Grants permission to update a webhook invocation to notify a client when there is new data in the data lake
      Resources

    • New_value: [{'name': 'subscriber', 'is_required': True}]

      Old_value: []

      Dependents

    • New_value: ['events:CreateApiDestination', 'events:CreateConnection', 'events:DescribeRule', 'events:ListApiDestinations', 'events:ListConnections', 'events:PutRule', 'events:PutTargets', 'iam:CreateServiceLinkedRole', 'iam:DeleteRolePolicy', 'iam:GetRole', 'iam:PassRole', 'iam:PutRolePolicy', 's3:CreateBucket', 's3:GetBucketNotification', 's3:ListBucket', 's3:PutBucketNotification', 's3:PutBucketPolicy', 's3:PutBucketPublicAccessBlock', 's3:PutBucketVersioning', 's3:PutLifecycleConfiguration', 'sqs:CreateQueue', 'sqs:DeleteQueue', 'sqs:GetQueueAttributes', 'sqs:GetQueueUrl', 'sqs:SetQueueAttributes']

      Old_value: []

  • CreateAwsLogSource
      Resources
    • + data-lake
  • CreateCustomLogSource
      Resources
    • + data-lake
  • DeleteAwsLogSource
      Resources
    • + data-lake
  • DeleteCustomLogSource
      Resources
    • + data-lake
  • DeleteSubscriber
      Resources
    • + subscriber
  • GetSubscriber
      Resources
    • + subscriber
  • UpdateSubscriber
      Resources
    • + subscriber

Deletions

    Actions
  • CreateDatalakeExceptionsSubscription
    • Description:  Grants permission to get instant notifications about exceptions by subscribing to the SNS topics for exception notifications
    • Access:  Write
  • CreateSubscriptionNotificationConfiguration
    • Description:  Grants permission to create a webhook invocation to notify a client when there is new data in the Data Lake
    • Access:  Write
    • Dependents: 

      events:CreateApiDestination

      events:CreateConnection

      events:DescribeRule

      events:ListApiDestinations

      events:ListConnections

      events:PutRule

      events:PutTargets

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PassRole

      s3:GetBucketNotification

      s3:PutBucketNotification

      sqs:CreateQueue

      sqs:DeleteQueue

      sqs:GetQueueAttributes

      sqs:GetQueueUrl

      sqs:SetQueueAttributes
  • DeleteDatalakeDelegatedAdmin
    • Description:  Grants permission to remove the Delegated Administrator account and disable Amazon Security Lake as a service for this organization
    • Access:  Write
    • Dependents: 

      organizations:DeregisterDelegatedAdministrator

      organizations:DescribeOrganization

      organizations:ListDelegatedServicesForAccount
  • GetDatalakeExceptionsExpiry
    • Description:  Grants permission to allow user to query what was set as the expiration period for the exception message
    • Access:  Read
  • GetSubscriptionNotificationConfiguration
    • Description:  Grants permission to get information for a webhook invocation to notify a client when there is new data in the Data Lake
    • Access:  Read
  • UpdateDatalake
    • Description:  Grants permission to update a Security Data Lake
    • Access:  Write
    • Dependents: 

      events:PutRule

      events:PutTargets

      iam:CreateServiceLinkedRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PutRolePolicy

      kms:CreateGrant

      kms:DescribeKey

      lakeformation:GetDataLakeSettings

      lakeformation:PutDataLakeSettings

      lambda:CreateEventSourceMapping

      lambda:CreateFunction

      organizations:DescribeOrganization

      organizations:ListDelegatedServicesForAccount

      s3:CreateBucket

      s3:ListBucket

      s3:PutBucketPolicy

      s3:PutBucketPublicAccessBlock

      s3:PutBucketVersioning

      sqs:CreateQueue

      sqs:GetQueueAttributes

      sqs:SetQueueAttributes
  • UpdateDatalakeExceptionsSubscription
    • Description:  Grants permission to update subscriptions to the SNS topics for exception notifications
    • Access:  Write
  • UpdateSubscriptionNotificationConfiguration
    • Description:  Grants permission to update a webhook invocation to notify a client when there is new data in the Data Lake
    • Access:  Write
    • Dependents: 

      events:CreateApiDestination

      events:CreateConnection

      events:DescribeRule

      events:ListApiDestinations

      events:ListConnections

      events:PutRule

      events:PutTargets

      iam:CreateServiceLinkedRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PassRole

      iam:PutRolePolicy

      s3:CreateBucket

      s3:GetBucketNotification

      s3:ListBucket

      s3:PutBucketNotification

      s3:PutBucketPolicy

      s3:PutBucketPublicAccessBlock

      s3:PutBucketVersioning

      s3:PutLifecycleConfiguration

      sqs:CreateQueue

      sqs:DeleteQueue

      sqs:GetQueueAttributes

      sqs:GetQueueUrl

      sqs:SetQueueAttributes