Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

create a Security Lake

0

Hello I'm trying to launch a security lake but I faced this error: “ An error occurred. The ARN specified for the AmazonSecurityLakeMetaStoreManager IAM role isn't valid. Check the ARN.

Any helpful advice?

Thank in advanceScreenshot for error

Temas
Seguridad, identidad y cumplimiento
Etiquetas
Amazon Security Lake
Idioma
English
Abd
preguntada hace 7 meses244 visualizaciones
1 Respuesta
4

Hi,

According to your question, you got the error message related to AmazonSecurityLakeMetaStoreManager IAM role validation.

You can resolve the problem by creating IAM Role with same permission manually.

  1. Delete AmazonSecurityLakeMetaStoreManager IAM Role, which is created automatically in SecurityLake console.

  2. Create new IAM Role

  3. Choose "Custom Trust Policy" and write the policy below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambda",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  1. Skip "Add permissions" now (we will add it in step 6.)

  2. Name the policy - AmazonSecurityLakeMetaStoreManager and Create role

  3. Add permissions to the created Role(AmazonSecurityLakeMetaStoreManager) with Inline Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowWriteLambdaLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:log-group:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowCreateAwsCloudWatchLogGroup",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowGlueManage",
      "Effect": "Allow",
      "Action": [
        "glue:CreatePartition",
        "glue:BatchCreatePartition"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
        "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
        "arn:aws:glue:*:*:catalog"
      ]
    },
    {
      "Sid": "AllowToReadFromSqs",
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "arn:aws:sqs:*:{{accountId}}:SecurityLake*"
      ]
    }
  ]
}

Then, you can find that ARN changed arn:aws:iam::{{AccountID}}:role/service-role/AmazonSecurityLakeMetaStoreManager ->
arn:aws:iam::169306238242:role/AmazonSecurityLakeMetaStoreManager.

Now you can successfully create SecurityLake.

[+] Amazon Security Lake - Complete other Presiquites (AWS Documentation)(ENG)

If I have missed anything or answered wrong, please feel free to ask me again. Also you have any questions, comment please!

profile picture
Seongju_L
respondido hace 7 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante