Amazon Security Lake integration - Check data is exploitable

[AlexRuiz7]

Description

Related issue: #128

To complete the Wazuh integration with Amazon Security Lake, we need that the data sent to Amazon Security Lake is exploitable, meaning the data is written properly and that the integration works as expected.

https://aws.amazon.com/es/blogs/security/how-to-visualize-amazon-security-lake-findings-with-amazon-quicksight/

[f-galland]

Querying services

Data lakes should be queried by other AWS services such as:

• Athena
• Redshift spectrum
• EMR
• Glue
• Quicksight
• S3 Select

But Athena seems to be the predilect way to do it.

Permissions:

With regards to permissions, Amazon suggests using the following roles:

• https://docs.aws.amazon.com/lake-formation/latest/dg/permissions-reference.html#lf-personas

The role that enables Security Lake (when done through the web UI) gets database view permissions automatically.

Permissions can be granted on table, database or views.

In order to be able to query Security Lake using Athena (which seems to be the predilect way to do it), query access should be granted following the guide below:

• https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-query-access.html

Query language:

Queries to Security Lake are performed using a SQL like language:

• https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-query-examples1.html
• https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-query-examples2.html
• https://github.com/awslabs/aws-security-analytics-bootstrap/tree/main/AWSSecurityAnalyticsBootstrap/amazon_security_lake_queries

[f-galland]

As far as I can gather, I need to create a database/table out of the content of the S3 bucket

I've struggled to create a database out of one of our sample SecurityLake S3 buckets. It seems I need to provide an output location, but I'm not sure where to find that field.

[AlexRuiz7]

We now have the required permissions to query the database in Athena. We did also run the Crawler manually to populate the database table with the latest data in the custom source prefix of the Amazon Security Lake S3 bucket.

Therefore, we conclude the data written to the S3 bucket is under the right format, exploitable through SQL queries and or subscriptions and that our integration works as desired.