By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Aws Security Data Lake

0

Hi All, Can we send the AWS Security hub events (from our account) to the security lake of a different organization/vendors account? seems it is a direct link between the security hub to security data lake by region/account. I didn't find a way to send to the vendor AWS security data lake. can you pls let help clarifying this.

Next question is that I see that the AWS Security data lake has been used to transform the security hub findings to OCSF format. So, my question is that, is it necessary to enable the AWS Security data lake to get the AWS Config/AWS Inspector/other findings in OCSF format? or is there any way/tool available so that I can pull the events from security hub and convert to OCSF format?

thanks, Kalpa

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
AnalyticsAWS Security Hub
Language
English
kalpa
asked 8 months ago294 views
1 Answer
0

  1. Cross-Account Data Sharing: You can share security telemetry across accounts using AWS Lake Formation. By configuring permissions appropriately, you can grant a consumer AWS account (Account B) access to the security telemetry of the producer account (Account A). You will use data lake permission filters to control access to the tables and need to ensure that the consumer account accepts the AWS Resource Access Manager invitation and creates resource links for the shared table.

  2. Using Athena for Queries: To access and query the shared data, the consumer account may use Amazon Athena. It's necessary to configure an S3 bucket to store query results from Athena. Once set up, you can perform queries on the shared tables using the Athena query editor.

  3. Enriching Security Lake Data: To enrich your data with AWS account metadata, you can create an Athena View. This view will join datasets and filter results to only return findings from the AWS Foundational Security Best Practices Standard, for example.

Regarding the conversion of AWS Security Hub findings to the Open Cybersecurity Schema Framework (OCSF) format:

  1. Amazon Security Lake Integration: Amazon Security Lake natively supports integration with multiple third-party providers and can handle data in OCSF format. Providers may offer source, subscriber, or service integrations with Security Lake, which can send data to or read data from Security Lake in OCSF schema.

To directly address your questions:

  • Sending AWS Security Hub Events to a Vendor's Security Data Lake: You can configure cross-account sharing using AWS Lake Formation and ensure that the vendor's account has the necessary permissions to access your Security Lake data. You'll need to set up data permissions and resource links for the vendor to access your data.

  • Converting to OCSF Format Without Security Data Lake: While Amazon Security Lake can receive and store data in OCSF format, if you're looking to convert AWS Security Hub findings to OCSF format without enabling Amazon Security Lake, you might need to look into third-party tools or services that offer such conversion. AWS documentation or vendor-specific integration guides might offer tools for this conversion.

profile picture
ObiJan
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content