Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

create a Security Lake

0

Hello I'm trying to launch a security lake but I faced this error: “ An error occurred. The ARN specified for the AmazonSecurityLakeMetaStoreManager IAM role isn't valid. Check the ARN.

Any helpful advice?

Thank in advanceScreenshot for error

Argomenti
Sicurezza, identità e conformità
Tag
Amazon Security Lake
Lingua
English
Abd
posta 7 mesi fa244 visualizzazioni
1 Risposta
4

Hi,

According to your question, you got the error message related to AmazonSecurityLakeMetaStoreManager IAM role validation.

You can resolve the problem by creating IAM Role with same permission manually.

  1. Delete AmazonSecurityLakeMetaStoreManager IAM Role, which is created automatically in SecurityLake console.

  2. Create new IAM Role

  3. Choose "Custom Trust Policy" and write the policy below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambda",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  1. Skip "Add permissions" now (we will add it in step 6.)

  2. Name the policy - AmazonSecurityLakeMetaStoreManager and Create role

  3. Add permissions to the created Role(AmazonSecurityLakeMetaStoreManager) with Inline Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowWriteLambdaLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:log-group:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowCreateAwsCloudWatchLogGroup",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowGlueManage",
      "Effect": "Allow",
      "Action": [
        "glue:CreatePartition",
        "glue:BatchCreatePartition"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
        "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
        "arn:aws:glue:*:*:catalog"
      ]
    },
    {
      "Sid": "AllowToReadFromSqs",
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "arn:aws:sqs:*:{{accountId}}:SecurityLake*"
      ]
    }
  ]
}

Then, you can find that ARN changed arn:aws:iam::{{AccountID}}:role/service-role/AmazonSecurityLakeMetaStoreManager ->
arn:aws:iam::169306238242:role/AmazonSecurityLakeMetaStoreManager.

Now you can successfully create SecurityLake.

[+] Amazon Security Lake - Complete other Presiquites (AWS Documentation)(ENG)

If I have missed anything or answered wrong, please feel free to ask me again. Also you have any questions, comment please!

profile picture
Seongju_L
con risposta 7 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente