create a Security Lake
Hello I'm trying to launch a security lake but I faced this error: “ An error occurred. The ARN specified for the AmazonSecurityLakeMetaStoreManager IAM role isn't valid. Check the ARN.
Any helpful advice?
Thank in advance
- 新しい順
- 投票が多い順
- コメントが多い順
Hi,
According to your question, you got the error message related to AmazonSecurityLakeMetaStoreManager IAM role validation.
You can resolve the problem by creating IAM Role with same permission manually.
-
Delete
AmazonSecurityLakeMetaStoreManagerIAM Role, which is created automatically in SecurityLake console. -
Create new IAM Role
-
Choose "Custom Trust Policy" and write the policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambda",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
-
Skip "Add permissions" now (we will add it in step 6.)
-
Name the policy -
AmazonSecurityLakeMetaStoreManagerand Create role -
Add permissions to the created Role(
AmazonSecurityLakeMetaStoreManager) with Inline Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowWriteLambdaLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:{{accountId}}:log-group:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
]
},
{
"Sid": "AllowCreateAwsCloudWatchLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:*:{{accountId}}:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
]
},
{
"Sid": "AllowGlueManage",
"Effect": "Allow",
"Action": [
"glue:CreatePartition",
"glue:BatchCreatePartition"
],
"Resource": [
"arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
"arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
"arn:aws:glue:*:*:catalog"
]
},
{
"Sid": "AllowToReadFromSqs",
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:*:{{accountId}}:SecurityLake*"
]
}
]
}
Then, you can find that ARN changed arn:aws:iam::{{AccountID}}:role/service-role/AmazonSecurityLakeMetaStoreManager ->
arn:aws:iam::169306238242:role/AmazonSecurityLakeMetaStoreManager.
Now you can successfully create SecurityLake.
[+] Amazon Security Lake - Complete other Presiquites (AWS Documentation)(ENG)
If I have missed anything or answered wrong, please feel free to ask me again. Also you have any questions, comment please!
Have you created this role "AmazonSecurityLakeMetaStoreManager" before attempting to create the security lake? Please check the spelling of this role name, It has to exactly match.
the role should have the permission policy and trust policy (mentioned in the below link) to it.
https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html#prerequisites