Amazon Security Lake

Amazon Security Lake API

The Amazon Security Lake API provides programmatic access to create and manage data lakes, data sources, subscribers, and log sources for centralizing and analyzing security data across your organization using the OCSF (Open Cybersecurity Schema Framework).

GitHub OpenAPI

Documentation

📖
Documentation
https://docs.aws.amazon.com/security-lake/latest/APIReference/Welcome.html

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/amazon-security-lake/refs/heads/main/openapi/amazon-security-lake-openapi.yml

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-security-lake/refs/heads/main/json-schema/amazon-security-lake-data-lake-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-security-lake/refs/heads/main/json-schema/amazon-security-lake-log-source-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-security-lake/refs/heads/main/json-schema/amazon-security-lake-subscriber-schema.json

Other Resources

🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/amazon-security-lake/refs/heads/main/capabilities/amazon-security-lake-data-lakes.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/amazon-security-lake/refs/heads/main/capabilities/amazon-security-lake-log-sources.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/amazon-security-lake/refs/heads/main/capabilities/amazon-security-lake-subscribers.yaml

OpenAPI Specification

amazon-security-lake-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Amazon Security Lake API
  description: >-
    Amazon Security Lake is a service that automatically centralizes an organization's
    security data from cloud, on-premises, and custom sources into a purpose-built data
    lake stored in your own Amazon S3. It manages the data lifecycle and supports OCSF
    (Open Cybersecurity Schema Framework) for normalized security data analysis.
  version: 2018-05-10
  contact:
    name: Amazon Web Services
    url: https://aws.amazon.com/security-lake/
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
  x-generated-from: documentation

servers:
  - url: https://securitylake.{region}.amazonaws.com
    variables:
      region:
        default: us-east-1
        description: The AWS region.

tags:
  - name: Data Lakes
    description: Data lake creation and management
  - name: Log Sources
    description: AWS and custom log source management
  - name: Subscribers
    description: Subscriber management for data access
  - name: Organization
    description: Organization-level configuration

paths:

  /v1/datalake:
    post:
      operationId: CreateDataLake
      summary: Amazon Security Lake Create Data Lake
      description: >-
        Creates a Security Lake data lake in the specified regions. Security Lake
        begins ingesting security data after you create the data lake.
      tags:
        - Data Lakes
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateDataLakeRequest'
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CreateDataLakeResponse'
              examples:
                CreateDataLake200Example:
                  summary: Default CreateDataLake 200 response
                  x-microcks-default: true
                  value:
                    dataLakes:
                      - dataLakeArn: "arn:aws:securitylake:us-east-1:123456789012:data-lake/default"
                        region: "us-east-1"
                        status: "INITIALIZED"
        '400':
          description: Bad request.
        '500':
          description: Internal server error.
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

    get:
      operationId: ListDataLakes
      summary: Amazon Security Lake List Data Lakes
      description: >-
        Lists information about the data lakes in the current AWS account and Region.
      tags:
        - Data Lakes
      parameters:
        - name: regions
          in: query
          description: List of regions to include in the response.
          schema:
            type: array
            items:
              type: string
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListDataLakesResponse'
              examples:
                ListDataLakes200Example:
                  summary: Default ListDataLakes 200 response
                  x-microcks-default: true
                  value:
                    dataLakes:
                      - dataLakeArn: "arn:aws:securitylake:us-east-1:123456789012:data-lake/default"
                        region: "us-east-1"
                        status: "INITIALIZED"
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

  /v1/datalake/{dataLakeArn}:
    put:
      operationId: UpdateDataLake
      summary: Amazon Security Lake Update Data Lake
      description: >-
        Updates the configuration of a data lake.
      tags:
        - Data Lakes
      parameters:
        - name: dataLakeArn
          in: path
          required: true
          description: The ARN of the data lake to update.
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UpdateDataLakeRequest'
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DataLake'
              examples:
                UpdateDataLake200Example:
                  summary: Default UpdateDataLake 200 response
                  x-microcks-default: true
                  value:
                    dataLakeArn: "arn:aws:securitylake:us-east-1:123456789012:data-lake/default"
                    region: "us-east-1"
                    status: "INITIALIZED"
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

    delete:
      operationId: DeleteDataLake
      summary: Amazon Security Lake Delete Data Lake
      description: >-
        Deletes the Amazon Security Lake data lake configuration object for the
        specified account and Region.
      tags:
        - Data Lakes
      parameters:
        - name: dataLakeArn
          in: path
          required: true
          description: The ARN of the data lake to delete.
          schema:
            type: string
      responses:
        '204':
          description: Successfully deleted.
        '400':
          description: Bad request.
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

  /v1/datalake/sources:
    post:
      operationId: GetDataLakeSources
      summary: Amazon Security Lake Get Data Lake Sources
      description: >-
        Retrieves a snapshot of the current Region, including whether Amazon Security
        Lake is enabled for those accounts and which sources Security Lake is collecting
        data from.
      tags:
        - Log Sources
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                accounts:
                  type: array
                  items:
                    type: string
                  description: AWS account IDs to retrieve sources for.
                maxResults:
                  type: integer
                  description: Maximum number of results to return.
                nextToken:
                  type: string
                  description: Pagination token.
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  dataLakeSources:
                    type: array
                    items:
                      $ref: '#/components/schemas/LogSource'
                  nextToken:
                    type: string
              examples:
                GetDataLakeSources200Example:
                  summary: Default GetDataLakeSources 200 response
                  x-microcks-default: true
                  value:
                    dataLakeSources: []
                    nextToken: null
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

  /v1/logsources/aws:
    post:
      operationId: CreateAwsLogSource
      summary: Amazon Security Lake Create AWS Log Source
      description: >-
        Adds a natively supported Amazon Web Service as an Amazon Security Lake source.
      tags:
        - Log Sources
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - sources
              properties:
                sources:
                  type: array
                  items:
                    type: object
                    properties:
                      accounts:
                        type: array
                        items:
                          type: string
                      regions:
                        type: array
                        items:
                          type: string
                      sourceName:
                        type: string
                      sourceVersion:
                        type: string
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  failed:
                    type: array
                    items:
                      type: object
              examples:
                CreateAwsLogSource200Example:
                  summary: Default CreateAwsLogSource 200 response
                  x-microcks-default: true
                  value:
                    failed: []
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

  /v1/logsources/custom:
    post:
      operationId: CreateCustomLogSource
      summary: Amazon Security Lake Create Custom Log Source
      description: >-
        Adds a third-party custom source in Amazon Security Lake to store log data.
      tags:
        - Log Sources
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - configuration
                - sourceName
              properties:
                configuration:
                  type: object
                  description: Configuration for the custom log source.
                sourceName:
                  type: string
                  description: The name of the custom log source.
                sourceVersion:
                  type: string
                  description: The version of the custom log source.
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/LogSource'
              examples:
                CreateCustomLogSource200Example:
                  summary: Default CreateCustomLogSource 200 response
                  x-microcks-default: true
                  value:
                    sourceName: "my-custom-source"
                    sourceVersion: "1.0"
                    sourceStatus: "ACTIVE"
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

  /v1/logsources:
    get:
      operationId: ListLogSources
      summary: Amazon Security Lake List Log Sources
      description: >-
        Retrieves the log sources in the current Amazon Web Services Region.
      tags:
        - Log Sources
      parameters:
        - name: maxResults
          in: query
          description: Maximum number of results to return.
          schema:
            type: integer
        - name: nextToken
          in: query
          description: Pagination token.
          schema:
            type: string
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  sources:
                    type: array
                    items:
                      $ref: '#/components/schemas/LogSource'
                  nextToken:
                    type: string
              examples:
                ListLogSources200Example:
                  summary: Default ListLogSources 200 response
                  x-microcks-default: true
                  value:
                    sources: []
                    nextToken: null
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

  /v1/subscribers:
    post:
      operationId: CreateSubscriber
      summary: Amazon Security Lake Create Subscriber
      description: >-
        Creates a subscriber for accounts that are already enabled in Amazon Security Lake.
      tags:
        - Subscribers
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateSubscriberRequest'
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Subscriber'
              examples:
                CreateSubscriber200Example:
                  summary: Default CreateSubscriber 200 response
                  x-microcks-default: true
                  value:
                    subscriberId: "sub-a1b2c3d4"
                    subscriberArn: "arn:aws:securitylake:us-east-1:123456789012:subscriber/sub-a1b2c3d4"
                    subscriberName: "MySubscriber"
                    subscriberStatus: "ACTIVE"
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

    get:
      operationId: ListSubscribers
      summary: Amazon Security Lake List Subscribers
      description: >-
        Lists all subscribers for the specific Amazon Security Lake account ID.
      tags:
        - Subscribers
      parameters:
        - name: maxResults
          in: query
          description: Maximum number of results to return.
          schema:
            type: integer
        - name: nextToken
          in: query
          description: Pagination token.
          schema:
            type: string
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  subscribers:
                    type: array
                    items:
                      $ref: '#/components/schemas/Subscriber'
                  nextToken:
                    type: string
              examples:
                ListSubscribers200Example:
                  summary: Default ListSubscribers 200 response
                  x-microcks-default: true
                  value:
                    subscribers: []
                    nextToken: null
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

  /v1/subscribers/{subscriberId}:
    get:
      operationId: GetSubscriber
      summary: Amazon Security Lake Get Subscriber
      description: >-
        Gets information about a specific subscriber created in the current Amazon Web Services Region.
      tags:
        - Subscribers
      parameters:
        - name: subscriberId
          in: path
          required: true
          description: The ID of the subscriber to retrieve.
          schema:
            type: string
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Subscriber'
              examples:
                GetSubscriber200Example:
                  summary: Default GetSubscriber 200 response
                  x-microcks-default: true
                  value:
                    subscriberId: "sub-a1b2c3d4"
                    subscriberArn: "arn:aws:securitylake:us-east-1:123456789012:subscriber/sub-a1b2c3d4"
                    subscriberName: "MySubscriber"
                    subscriberStatus: "ACTIVE"
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

    put:
      operationId: UpdateSubscriber
      summary: Amazon Security Lake Update Subscriber
      description: >-
        Updates an existing subscriber for the specific Amazon Security Lake account ID and Region.
      tags:
        - Subscribers
      parameters:
        - name: subscriberId
          in: path
          required: true
          description: The ID of the subscriber to update.
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                subscriberDescription:
                  type: string
                  description: Updated description for the subscriber.
                subscriberName:
                  type: string
                  description: Updated name for the subscriber.
      responses:
        '200':
          description: Successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Subscriber'
              examples:
                UpdateSubscriber200Example:
                  summary: Default UpdateSubscriber 200 response
                  x-microcks-default: true
                  value:
                    subscriberId: "sub-a1b2c3d4"
                    subscriberName: "MyUpdatedSubscriber"
                    subscriberStatus: "ACTIVE"
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

    delete:
      operationId: DeleteSubscriber
      summary: Amazon Security Lake Delete Subscriber
      description: >-
        Deletes the specified subscriber and removes them from Amazon Security Lake.
      tags:
        - Subscribers
      parameters:
        - name: subscriberId
          in: path
          required: true
          description: The ID of the subscriber to delete.
          schema:
            type: string
      responses:
        '204':
          description: Successfully deleted.
        '400':
          description: Bad request.
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK

components:
  schemas:
    DataLake:
      type: object
      description: Represents an Amazon Security Lake data lake configuration.
      properties:
        dataLakeArn:
          type: string
          description: The ARN of the data lake.
          example: "arn:aws:securitylake:us-east-1:123456789012:data-lake/default"
        region:
          type: string
          description: The AWS region where the data lake is configured.
          example: "us-east-1"
        status:
          type: string
          description: The current status of the data lake.
          enum:
            - INITIALIZED
            - PENDING
            - COMPLETED
            - FAILED
          example: "INITIALIZED"
        encryptionConfiguration:
          type: object
          description: The encryption configuration for the data lake.
          properties:
            kmsKeyId:
              type: string
              description: The KMS key ID for encryption.
        lifecycleConfiguration:
          type: object
          description: The lifecycle configuration for the data lake.
          properties:
            expiration:
              type: object
              properties:
                days:
                  type: integer
            transitions:
              type: array
              items:
                type: object
        s3BucketArn:
          type: string
          description: The ARN of the S3 bucket where security data is stored.
          example: "arn:aws:s3:::aws-security-data-lake-us-east-1-abc123"

    LogSource:
      type: object
      description: Represents a log source configured in Amazon Security Lake.
      properties:
        sourceName:
          type: string
          description: The name of the log source.
          example: "CLOUD_TRAIL_MGMT"
        sourceVersion:
          type: string
          description: The version of the log source.
          example: "2.0"
        sourceStatus:
          type: string
          description: The status of the log source.
          enum:
            - ACTIVE
            - DEACTIVATED
            - PENDING
          example: "ACTIVE"

    Subscriber:
      type: object
      description: Represents a subscriber for Amazon Security Lake data.
      properties:
        subscriberId:
          type: string
          description: The unique identifier for the subscriber.
          example: "sub-a1b2c3d4"
        subscriberArn:
          type: string
          description: The ARN of the subscriber.
          example: "arn:aws:securitylake:us-east-1:123456789012:subscriber/sub-a1b2c3d4"
        subscriberName:
          type: string
          description: The name of the subscriber.
          example: "MySIEMSubscriber"
        subscriberDescription:
          type: string
          description: A description of the subscriber.
        subscriberStatus:
          type: string
          description: The status of the subscriber.
          enum:
            - ACTIVE
            - DEACTIVATED
            - PENDING
            - READY
          example: "ACTIVE"
        accessTypes:
          type: array
          description: The access types granted to the subscriber.
          items:
            type: string
            enum:
              - LAKEFORMATION
              - S3
        resourceShareArn:
          type: string
          description: The ARN of the resource share for AWS RAM-based access.
        createdAt:
          type: string
          format: date-time
          description: Timestamp when the subscriber was created.
        updatedAt:
          type: string
          format: date-time
          description: Timestamp when the subscriber was last updated.

    CreateDataLakeRequest:
      type: object
      required:
        - configurations
      properties:
        configurations:
          type: array
          description: Specifies the configurations to add to the data lake.
          items:
            type: object
            properties:
              encryptionConfiguration:
                type: object
              lifecycleConfiguration:
                type: object
              region:
                type: string
              replicationConfiguration:
                type: object
        metaStoreManagerRoleArn:
          type: string
          description: The ARN of the IAM role for the metadata store manager.

    CreateDataLakeResponse:
      type: object
      properties:
        dataLakes:
          type: array
          items:
            $ref: '#/components/schemas/DataLake'

    ListDataLakesResponse:
      type: object
      properties:
        dataLakes:
          type: array
          items:
            $ref: '#/components/schemas/DataLake'

    UpdateDataLakeRequest:
      type: object
      properties:
        configurations:
          type: array
          items:
            type: object

    CreateSubscriberRequest:
      type: object
      required:
        - sources
        - subscriberIdentity
        - subscriberName
      properties:
        sources:
          type: array
          description: The supported AWS log sources and log types to subscribe to.
          items:
            type: object
        subscriberDescription:
          type: string
          description: A description of the subscriber.
        subscriberIdentity:
          type: object
          description: The identity of the subscriber for data access.
          properties:
            externalId:
              type: string
            principal:
              type: string
        subscriberName:
          type: string
          description: The name of the subscriber.
        accessTypes:
          type: array
          items:
            type: string
            enum:
              - LAKEFORMATION
              - S3

  securitySchemes:
    AWSSignatureV4:
      type: apiKey
      in: header
      name: Authorization
      description: AWS Signature Version 4 authentication

security:
  - AWSSignatureV4: []