create a Security Lake

Question

Hello 
I'm trying to launch a security lake but I faced this error: “ An error occurred. The ARN specified for the AmazonSecurityLakeMetaStoreManager IAM role isn't valid. Check the ARN.

Any helpful advice?

Thank in advance![Screenshot for error](/media/postImages/original/IMC_6vXkknRwSqqXEibS-DJQ)

Answer

Hi,

According to your question, you got the error message related to `AmazonSecurityLakeMetaStoreManager` IAM role validation.

---

You can resolve the problem by creating IAM Role with same permission manually.

1. Delete `AmazonSecurityLakeMetaStoreManager` IAM Role, which is created automatically in SecurityLake console.

2. Create new IAM Role

3. Choose "Custom Trust Policy" and write the policy below:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambda",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

4. Skip "Add permissions" now (we will add it in step 6.)

5. Name the policy - `AmazonSecurityLakeMetaStoreManager` and Create role

6. Add permissions to the created Role(`AmazonSecurityLakeMetaStoreManager`) with Inline Policy:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowWriteLambdaLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:log-group:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowCreateAwsCloudWatchLogGroup",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowGlueManage",
      "Effect": "Allow",
      "Action": [
        "glue:CreatePartition",
        "glue:BatchCreatePartition"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
        "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
        "arn:aws:glue:*:*:catalog"
      ]
    },
    {
      "Sid": "AllowToReadFromSqs",
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "arn:aws:sqs:*:{{accountId}}:SecurityLake*"
      ]
    }
  ]
}
```

Then, you can find that ARN changed `arn:aws:iam::{{AccountID}}:role/service-role/AmazonSecurityLakeMetaStoreManager` ->  
`arn:aws:iam::169306238242:role/AmazonSecurityLakeMetaStoreManager`.

Now you can successfully create SecurityLake.

[+] [Amazon Security Lake - Complete other Presiquites](https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html#prerequisites) (AWS Documentation)(ENG)

---
If I have missed anything or answered wrong, please feel free to ask me again. Also you have any questions, comment please!

create a Security Lake

相關內容