- 新しい順
- 投票が多い順
- コメントが多い順
Hi,
According to your question, you got the error message related to AmazonSecurityLakeMetaStoreManager
IAM role validation.
You can resolve the problem by creating IAM Role with same permission manually.
-
Delete
AmazonSecurityLakeMetaStoreManager
IAM Role, which is created automatically in SecurityLake console. -
Create new IAM Role
-
Choose "Custom Trust Policy" and write the policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambda",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
-
Skip "Add permissions" now (we will add it in step 6.)
-
Name the policy -
AmazonSecurityLakeMetaStoreManager
and Create role -
Add permissions to the created Role(
AmazonSecurityLakeMetaStoreManager
) with Inline Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowWriteLambdaLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:{{accountId}}:log-group:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
]
},
{
"Sid": "AllowCreateAwsCloudWatchLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:*:{{accountId}}:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
]
},
{
"Sid": "AllowGlueManage",
"Effect": "Allow",
"Action": [
"glue:CreatePartition",
"glue:BatchCreatePartition"
],
"Resource": [
"arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
"arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
"arn:aws:glue:*:*:catalog"
]
},
{
"Sid": "AllowToReadFromSqs",
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:*:{{accountId}}:SecurityLake*"
]
}
]
}
Then, you can find that ARN changed arn:aws:iam::{{AccountID}}:role/service-role/AmazonSecurityLakeMetaStoreManager
->
arn:aws:iam::169306238242:role/AmazonSecurityLakeMetaStoreManager
.
Now you can successfully create SecurityLake.
[+] Amazon Security Lake - Complete other Presiquites (AWS Documentation)(ENG)
If I have missed anything or answered wrong, please feel free to ask me again. Also you have any questions, comment please!
Have you created this role "AmazonSecurityLakeMetaStoreManager" before attempting to create the security lake? Please check the spelling of this role name, It has to exactly match.
the role should have the permission policy and trust policy (mentioned in the below link) to it.
https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html#prerequisites