Managing query access for Security Lake subscribers
Subscribers with query access can query data that Security Lake collects. These subscribers directly query AWS Lake Formation tables in your S3 bucket with services like Amazon Athena. Although the primary query engine for Security Lake is Athena you can also use other services, such as Amazon Redshift Spectrum and Spark SQL, that integrate with the AWS Glue Data Catalog.
Note
This section explains how to grant query access to a third-party subscriber. For information about running queries against your own data lake, see Step 4: View and query your own data.
Prerequisites for creating a subscriber with query access
You must complete the following prerequisites before you can create a subscriber with data access in Security Lake.
Topics
Verify permissions
Before creating a subscriber with query access, verify that you have permission to perform the following list of actions.
To verify your permissions, use IAM to review the IAM policies that are attached to your IAM identity. Then, compare the information in those policies to the following list of actions that you must be allowed to perform to create a subscriber with query access.
-
iam:CreateRole
-
iam:DeleteRolePolicy
-
iam:GetRole
-
iam:PutRolePolicy
-
lakeformation:GrantPermissions
-
lakeformation:ListPermissions
-
lakeformation:RegisterResource
-
lakeformation:RevokePermissions
-
ram:GetResourceShareAssociations
-
ram:GetResourceShares
-
ram:UpdateResourceShare
Important
After you have verified the permissions:
If you plan to use Security Lake console to add a subscriber with query access, you can skip the next step and proceed to Grant Lake Formation administrator permissions. Security Lake creates all the necessary IAM roles or uses existing roles on your behalf.
If you plan to use Security Lake API or CLI to add a subscriber with query access, continue with the next step to create an IAM role to query Security Lake data.
Create IAM role to query Security Lake data (API and AWS CLI-only step)
When using Security Lake API or AWS CLI to grant query access to a subscriber, you'll need to create a role named
AmazonSecurityLakeMetaStoreManager
. Security Lake uses this role to
register AWS Glue partitions and update AWS Glue tables. You may have already created
this role while Create necessary IAM
roles.
Grant Lake Formation administrator permissions
You'll also need to add Lake Formation administrator permissions to the IAM role that you use to access the Security Lake console and add subscribers.
You can grant Lake Formation administrator permissions to your role by following these steps:
Open the Lake Formation console at https://console.aws.amazon.com/lakeformation/
. -
Sign in as an administrative user.
-
If a Welcome to Lake Formation window appears, choose the user that you created or selected in Step 1, and then choose Get started.
-
If you don't see a Welcome to Lake Formation window, then perform the following steps to configure a Lake Formation Administrator.
-
In the navigation pane, under Permissions, choose Administrative roles and tasks. In the Data lake administrators section, choose Choose administrators.
-
In the Manage data lake administrators dialog box, for IAM users and roles, choose the administrator role used when accessing the Security Lake console, and then choose Save.
-
For more information about changing permissions for data lake administrators, see Create a data lake administrator in the AWS Lake Formation Developer Guide.
The IAM role must have SELECT
privileges on the database and tables
that you want to grant a subscriber access to. For instructions on how to do this,
see Granting
Data Catalog permissions using the named resource method in the
AWS Lake Formation Developer Guide.
Creating a subscriber with query access
Choose your preferred method to create a subscriber with query access in the current AWS Region. A subscriber can query data only from the AWS Region that it is created in. To create a subscriber, you'll need to have the AWS account ID and external ID of the subscriber. The external ID is a unique identifier that the subscriber provides to you. For more information about external IDs, see How to use an external ID when granting access to your AWS resources to a third party in the IAM User Guide.
Note
Security Lake does not support Lake Formation cross-account data sharing version 1. You must update Lake Formation cross-account data sharing to version 2 or version 3. For the steps to update Cross account version settings through the AWS Lake Formation console or the AWS CLI, see To enable the new version in the AWS Lake Formation Developer Guide.
Setting up cross-account table sharing (subscriber step)
Security Lake uses Lake Formation cross-account table sharing to support subscriber query access. When you create a subscriber with query access in the Security Lake console, API, or AWS CLI, Security Lake shares information about the relevant Lake Formation tables with the subscriber by creating a resource share in AWS Resource Access Manager (AWS RAM).
When you make certain types of edits to a subscriber with query access, Security Lake creates a new resource share. For more information, see Editing a subscriber with query access.
The subscriber should follow these steps to consume data from your Lake Formation tables:
-
Accept the resource share – The subscriber must accept the resource share that has the
resourceShareArn
andresourceShareName
that's generated when you create or edit the subscriber. Choose one of the following access methods:For console and AWS CLI, see Accepting a resource share invitation from AWS RAM.
-
For API, invoke the GetResourceShareInvitations API. Filter by
resourceShareArn
andresourceShareName
to find the correct resource share. Accept the invitation with the AcceptResourceShareInvitation API.
The resource share invitation expires in 12 hours, so you must validate and accept the invitation within 12 hours. If the invitation expires, you continue to see it in a
PENDING
state, but accepting it won't give you access to the shared resources. When more than 12 hours have passed, delete the Lake Formation subscriber and recreate the subscriber to get a new resource share invitation. -
Create a resource link to shared tables – The subscriber must create a resource link to the shared Lake Formation tables in either AWS Lake Formation (if using the console) or AWS Glue (if using API/AWS CLI). This resource link points the subscriber's account to the shared tables. Choose one of the following access methods:
-
For console and AWS CLI, see Creating a resource link to a shared Data Catalog table in the AWS Lake Formation Developer Guide.
-
For API, invoke the AWS Glue CreateTable API. We recommend that subscribers also create a unique database with the CreateDatabase API to store resource link tables.
-
-
Query the shared tables – Services like Amazon Athena can refer to the tables directly, and new data that Security Lake collects is automatically available to query. Queries run in the subscriber's AWS account, and costs incurred from queries are billed to the subscriber. You can control read access to resources in your own Security Lake account.
For more information about granting cross-account permissions, see Cross-account data sharing in Lake Formation in the AWS Lake Formation Developer Guide.
Editing a subscriber with query access
Security Lake supports making edits to a subscriber with query access. You can edit the subscriber's name, description, external ID, principal (AWS account ID), and the log sources that the subscriber is able to consume. Choose your preferred method, and follow the steps to edit a subscriber with query access in the current AWS Region.
Note
Security Lake does not support Lake Formation cross-account data sharing version 1. You must update Lake Formation cross-account data sharing to version 2 or version 3. For the steps to update Cross account version settings through the AWS Lake Formation console or the AWS CLI, see To enable the new version in the AWS Lake Formation Developer Guide.