# Amazon Detective Integration with Amazon Security Lake Detective Integration with Security Lake Amazon Security Lake is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from AWS environments, SaaS providers, on-premises sources, cloud sources, and third-party sources into a purpose-built data lake that's stored in your AWS account. Security Lake helps you analyze security data, so you can get a more complete understanding of your security posture across your entire organization. With Security Lake, you can also improve the protection of your workloads, applications, and data. Amazon Detective integrates with Amazon Security Lake, which means that you can query and retrieve the raw log data stored by Security Lake. Using this integration, you can collect logs and events from the following sources which Security Lake natively supports. Detective supports up to source version 2 (OCSF 1.1.0). + AWS CloudTrail management events version 1.0 and after + Amazon Virtual Private Cloud (Amazon VPC) Flow Logs version 1.0 and after + Amazon Elastic Kubernetes Service (Amazon EKS) Audit Log version 2.0. — To use Amazon EKS audit logs as a source you must add `ram:ListResources` to the IAM permissions. For more details, see [Add the required IAM permissions to your account](https://docs.aws.amazon.com//detective/latest/userguide/securitylake-integration.html#iam-permissions). For details on how Security Lake automatically converts logs and events that come from natively-supported AWS services to the OCSF schema, see the [Amazon Security Lake User Guide](https://docs.aws.amazon.com//security-lake/latest/userguide/open-cybersecurity-schema-framework.html). After you integrate Detective with Security Lake, Detective begins pulling raw logs from Security Lake related to AWS CloudTrail management events and Amazon VPC Flow Logs. For more details, see [Querying raw logs](https://docs.aws.amazon.com//detective/latest/userguide/profile-panel-drilldown-overall-api-volume.html#drilldown-api-volume-time-range). # Enabling Detective integration with Security Lake Enabling the integration To integrate Detective with Security Lake, you must complete the following steps. 1. [Before you begin](https://docs.aws.amazon.com//detective/latest/userguide/securitylake-integration.html#Prerequisites) Use an Organizations management account to designate a delegated Security Lake administrator for your organization. Make sure that Security Lake is enabled and verify that Security Lake is collecting logs and events from AWS CloudTrail management events and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs. In alignment with the Security Reference Architecture, Detective recommends using a Log Archive account and defer from using a Security Tooling account for the Security Lake deployment. 1. [Creating a Security Lake subscriber](https://docs.aws.amazon.com//detective/latest/userguide/securitylake-integration.html#securitylake-subscriber) To consume logs and events from Amazon Security Lake, you must be a Security Lake subscriber. Follow these steps to grant query access to a Detective account administrator. 1. Addding the required AWS Identity and Access Management (IAM) permissions to your IAM identity. + Add these permissions to create Detective integration with Security Lake: + Attach these AWS Identity and Access Management (IAM) permissions to your IAM identity. For details, see the [Add the required IAM permissions to your account](https://docs.aws.amazon.com//detective/latest/userguide/securitylake-integration.html#iam-permissions) section. + Add this IAM policy to the IAM principal that you plan to use to pass the CloudFormation service role. For more details, see the [Add permissions to your IAM principal](https://docs.aws.amazon.com//detective/latest/userguide/securitylake-integration.html#cloud-formation-template) section. + If you have already integrated Detective with Security Lake, to use the integration attach these (IAM) permissions to your IAM identity. For details, see the [Add the required IAM permissions to your account](https://docs.aws.amazon.com//detective/latest/userguide/securitylake-integration.html#iam-permissions) section. 1. [Accepting the Resource Share ARN invitation and enable the integration](https://docs.aws.amazon.com//detective/latest/userguide/securitylake-integration.html#resource-share-arn) Use the AWS CloudFormation template to set up the parameters required to create and manage query access for Security Lake subscribers. For the detailed steps to create a stack, see [Create a stack using the AWS CloudFormation template](https://docs.aws.amazon.com//detective/latest/userguide/securitylake-integration.html#cloud-formation-template). After you finish creating the stack, enable the integration. For a demonstration of how to integrate Amazon Detective with Amazon Security Lake using the Detective console, watch the following video: [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/73ZurSZCZwA/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/73ZurSZCZwA) # Before you begin integrating Detective with Security Lake Before you begin This topic describes the preliminary steps such as delegating a Security Lake administrator for your organization, enabling Security Lake for your Detective administrator account, and verifying that Security Lake is collecting logs and events. Security Lake integrates with AWS Organizations to manage log collection across multiple accounts in an organization. To use Security Lake for an organization, your AWS Organizations management account must first designate a delegated Security Lake administrator for your organization. The delegated Security Lake administrator must then enable Security Lake, and enable log and event collection for member accounts in the organization. Before you integrate Security Lake with Detective, make sure that Security Lake is enabled for the Detective administrator account. You must first configure your data lake settings and set up log collection by enabling Security Lake using the Security Lake console. For the detailed steps on how to enable Security Lake, see [Getting Started](https://docs.aws.amazon.com//security-lake/latest/userguide/getting-started.html) in the Amazon Security Lake User Guide. Also, verify that Security Lake is collecting logs and events from AWS CloudTrail management events and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs. For more details about log collection in Security Lake, see [Collecting data from AWS services](https://docs.aws.amazon.com//security-lake/latest/userguide/internal-sources.html#cloudtrail-event-logs) in the Amazon Security Lake User Guide. # Step 1: Creating a Security Lake subscriber in Detective This topic explains how to use the Detective console to create a Security Lake subscriber. To consume logs and events from Amazon Security Lake, you must be a Security Lake subscriber. A Subscriber can query and access the data that Security Lake collects. A subscriber with query access can query AWS Lake Formation tables directly in an Amazon Simple Storage Service (Amazon S3) bucket by using services such as Amazon Athena. To become a subscriber, the Security Lake administrator has to provide you with subscriber access that lets you query the data lake. For information about how the administrator does this, see [Creating a subscriber with query access](https://docs.aws.amazon.com//security-lake/latest/userguide/subscriber-query-access.html#create-query-subscriber-procedures) in the Amazon Security Lake User Guide. Follow these steps to create a Security Lake subscriber in order to grant query access to a Detective administrator account. **To create a Detective subscriber in Security Lake** 1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 1. In the navigation pane, choose **Integrations**. 1. In the Security Lake subscriber pane, note the **Account ID** and **External ID** values. Ask the Security Lake administrator to use these IDs to: + To create a Detective subscriber for you in Security Lake. + To configure the subscriber to have query access. + To make sure that the Security Lake query subscriber is created with Lake Formation permissions, select **Lake Formation** as the **Data Access Method** in the Security Lake console. When the Security Lake administrator creates a subscriber for you, Security Lake generates an Amazon Resource Share ARN for you. Ask the administrator to send this ARN to you. 1. Enter the **Resource Share ARN** that is provided by the Security Lake administrator in the **Security Lake subscriber** pane. 1. After you receive the Resource Share ARN from the Security Lake Administrator, enter the ARN in the **Resource Share ARN** box in the **Security Lake subscriber** pane. # Step 2: Adding the required IAM permissions to your account in Detective Step 2: Adding the required IAM permissions This topic explains the details of the AWS Identity and Access Management (IAM) permissions policy that you must add to your IAM identity. To enable Detective integration with Security Lake, you must attach the following AWS Identity and Access Management (IAM) permissions policy to your IAM identity. Attach the following inline policies to the role. Replace `athena-results-bucket` with your Amazon S3 bucket name if you want to use your own Amazon S3 bucket to store the Athena query results. If you want Detective to automatically generate an Amazon S3 bucket to store the Athena query result, remove the entire `S3ObjectPermissions` from the IAM policy. If you do not have the required permissions to attach this policy to your IAM identity, contact your AWS administrator. If you have the required permissions but an issue occurs, see [Troubleshoot access denied error messages](https://docs.aws.amazon.com//IAM/latest/UserGuide/troubleshoot_access-denied.html) in the IAM User Guide. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "S3ObjectPermissions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*" ] }, { "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetPartitions", "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:*:123456789012:database/amazon_security_lake*", "arn:aws:glue:*:123456789012:table/amazon_security_lake*/amazon_security_lake*", "arn:aws:glue:*:123456789012:catalog" ] }, { "Effect": "Allow", "Action": [ "athena:BatchGetQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryRuntimeStatistics", "athena:GetWorkGroup", "athena:ListQueryExecutions", "athena:StartQueryExecution", "athena:StopQueryExecution", "lakeformation:GetDataAccess", "ram:ListResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath" ], "Resource": [ "arn:aws:ssm:*:123456789012:parameter/Detective/SLI" ] }, { "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "securitylake.amazonaws.com" ] } } } ] } ``` ------ # Step 3: Accepting the Resource Share ARN invitation Step 3: Accepting the Resource Share ARN invitation This topic explains the steps to accept the Resource Share ARN invitation using a AWS CloudFormation template, which is a required step before you enable Detective integration with Security Lake. To access raw data logs from Security Lake, you must accept a Resource Share invitation from the Security Lake account that was created by the Security Lake administrator. You also need AWS Lake Formation permissions to set up cross-account table sharing. In addition, you must create an Amazon Simple Storage Service (Amazon S3) bucket that can receive raw query logs. In this next step, you’ll use an AWS CloudFormation template to create a stack for: accepting the Resource Share ARN invitation, create required AWS Glue crawler resources, and grant AWS Lake Formation administrator permissions. **To accept the Resource Share ARN invitation and enable the integration** 1. Create a new CloudFormation stack using the CloudFormation template. For more details, see [Creating a stack using the CloudFormation template](#cloud-formation-template). 1. After you finish creating the stack, choose **Enable integration** to enable Detective integration with Security Lake. ## Creating a stack using the CloudFormation template Detective provides an CloudFormation template, which you can use to set up the parameters required to create and manage query access for Security Lake subscribers. **Step 1: Create an AWS CloudFormation service role** You must create an CloudFormation service role to create a stack using the CloudFormation template. If you do not have the required permissions to create a service role, contact the administrator of the Detective administrator account. For more information about the AWS CloudFormation service role, see [AWS CloudFormation service role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html). 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**. 1. For **Select trusted entity**, choose **AWS service**. 1. Choose **CloudFormation**. Then, choose **Next**. 1. Enter a name for the role. For example, `CFN-DetectiveSecurityLakeIntegration`. 1. Attach the following inline policies to the role. Replace `` with your AWS Account ID. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CloudFormationPermission", "Effect": "Allow", "Action": [ "cloudformation:CreateChangeSet" ], "Resource": [ "arn:aws:cloudformation:*:aws:transform/*" ] }, { "Sid": "IamPermissions", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:UpdateAssumeRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:CreatePolicy", "iam:DeletePolicy", "iam:PassRole", "iam:GetRole", "iam:GetRolePolicy" ], "Resource": [ "arn:aws:iam::111122223333:role/*-ResourceShareAcceptorLamb-*", "arn:aws:iam::111122223333:role/*-SsmParametersLambdaRole-*", "arn:aws:iam::111122223333:role/*-GlueDatabaseLambdaRole-*", "arn:aws:iam::111122223333:role/*-GlueTablesLambdaRole-*", "arn:aws:iam::111122223333:policy/*" ] }, { "Sid": "S3Permissions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket*", "s3:PutBucket*", "s3:GetBucket*", "s3:GetObject", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "LambdaPermissions", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:TagResource", "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:111122223333:function:*" ] }, { "Sid": "CloudwatchPermissions", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:*:111122223333:log-group:*" }, { "Sid": "KmsPermission", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:*:111122223333:key/*" } ] } ``` ------ **Step 2: Adding permissions to your IAM principal**. You’ll need the following permissions to create a stack using the CloudFormation service role that you created in the preceding step. Add the following IAM policy to the IAM principal that you plan to use to pass the CloudFormation service role. You will assume this IAM principal to create the stack. If you do not have the required permissions to add the IAM policy, contact the administrator of the Detective administrator account. **Note** In the following policy, `CFN-DetectiveSecurityLakeIntegration` used in this policy refers to the role that you created in the previous `Creating an AWS CloudFormation` service role step. Change it to the role name that you entered in the preceding step if it’s different. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "PassRole", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole" ], "Resource": "arn:aws:iam::111122223333:role/CFN-DetectiveSecurityLakeIntegration" }, { "Sid": "RestrictCloudFormationAccess", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:*:111122223333:stack/*", "Condition": { "StringEquals": { "cloudformation:RoleArn": [ "arn:aws:iam::111122223333:role/CFN-DetectiveSecurityLakeIntegration" ] } } }, { "Sid": "CloudformationDescribeStack", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:GetStackPolicy" ], "Resource": "arn:aws:cloudformation:*:111122223333:stack/*" }, { "Sid": "CloudformationListStacks", "Effect": "Allow", "Action": [ "cloudformation:ListStacks" ], "Resource": "*" }, { "Sid": "CloudWatchPermissions", "Effect": "Allow", "Action": [ "logs:GetLogEvents" ], "Resource": "arn:aws:logs:*:111122223333:log-group:*" } ] } ``` ------ **Step 3: Specifying custom values in the CloudFormation console** 1. Go to the AWS CloudFormation console from Detective. 1. (Optional) Enter a **Stack name**. The stack name is auto-filled. You can change the stack name to a name that does not conflict with existing stack names. 1. Enter the following **Parameters**. + **AthenaResultsBucket** – If you don't enter values, this template generates an Amazon S3 bucket. If you want to use your own bucket, enter a bucket name to store the Athena query results. If you use your own bucket, make sure that the bucket is in the same Region as the Resource Share ARN. If you use your own bucket, make sure the `LakeFormationPrincipals` you choose have permissions to write objects to and read objects from the bucket. For more details about bucket permissions, see [Query results and recent queries](https://docs.aws.amazon.com/athena/latest/ug/querying.html) in the Amazon Athena User Guide. + **DTRegion** – This field is pre-filled. Do not change the values in this field. + **LakeFormationPrincipals** – Enter the ARN of the IAM principals (for example, IAM role ARN) that you want to grant access to use the Security Lake integration, separated by commas. These could be your security analysts and security engineers that use Detective. You can only use the IAM principals that you previously attached the IAM permissions to in step [`Step 2: Add the required IAM permissions to your account]`. + **ResourceShareARN** – This field is pre-filled. Do not change the values in this field. 1. **Permissions** **IAM role** – Select the role that you created in the `Creating an AWS CloudFormation Service Role` step. Optionally, you can keep it blank if your current IAM role has all the required permissions in the `Creating an AWS CloudFormation Service Role` step. 1. Review and check all the **I Acknowledge** boxes and then click the **Create stack** button. For more details, review the following IAM resources that will be created. ``` * ResourceShareAcceptorCustomResourceFunction - ResourceShareAcceptorLambdaRole - ResourceShareAcceptorLogsAccessPolicy * SsmParametersCustomResourceFunction - SsmParametersLambdaRole - SsmParametersLogsAccessPolicy * GlueDatabaseCustomResourceFunction - GlueDatabaseLambdaRole - GlueDatabaseLogsAccessPolicy * GlueTablesCustomResourceFunction - GlueTablesLambdaRole - GlueTablesLogsAccessPolicy ``` **Step 4: Adding Amazon S3 bucket policy to IAM principals in `LakeFormationPrincipals` ** (Optional) If you let this template generate an `AthenaResultsBucket` for you, you must attach the following policy to the IAM principals in `LakeFormationPrincipals`. ``` { "Sid": "S3ObjectPermissions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ] } ``` Replace `athena-results-bucket` with the `AthenaResultsBucket` name. The `AthenaResultsBucket` can be found on the AWS CloudFormation console: 1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/). 1. Click on your Stack. 1. Click the **Resources** tab. 1. Search for the logical ID `AthenaResultsBucket` and copy its physical ID. # Changing the Detective integration configuration If you want to change any of the parameters that you used to integrate Detective with Security Lake, you can edit them, and then enable the integration again. You can edit the CloudFormation template to re-enable this integration for the following scenarios: + To update the Security Lake subscription, you can either create a new subscriber, or the Security Lake administrator can update the data source for the existing subscription. + To specify a different Amazon S3 bucket to store the raw query logs. + To specify different Lake Formation principals. When you re-enable Detective integration with Security Lake, you can edit the **Resource Share ARN**, and view the **IAM permissions**. To edit the IAM permissions, you can go to the IAM console from Detective. You can also edit the values you previously entered in the CloudFormation template. You must delete the existing CloudFormation stack and re-create it to re-enable the integration. **To re-enable Detective integration with Security Lake** 1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 1. In the navigation pane, choose **Integrations**. 1. You can edit the integration using either of these steps: + In the **Security Lake** pane, choose **Edit**. + In the **Security Lake** pane, choose **View**. In the view page, choose **Edit**. 1. Enter a new **Resource Share ARN**, to access the data sources in a Region. 1. View the current IAM permissions, and go to the IAM console, if you want to edit the IAM permissions. 1. Edit the values in the CloudFormation template. 1. Delete the existing stack first, before creating a new stack. If you do not delete the existing stack and you try to create a new stack in the same Region, your request fails. For more details, see [Deleting a CloudFormation stack](disable-integration.md#delete-stack). 1. Create a new CloudFormation stack. For more details, see [Creating a stack using the CloudFormation template](resource-share-arn.md#cloud-formation-template). 1. Choose **Enable integration**. # Supported AWS Regions for integrating Detective with Security Lake Supported AWS Regions You can integrate Detective with Security Lake in the following AWS Regions. **** | Region Name | Region | Endpoint | Protocol; | | --- | --- | --- | --- | | US East (Ohio) | us-east-2 | securitylake.us-east-2.amazonaws.com | HTTPS | | US East (N. Virginia) | us-east-1 | securitylake.us-east-1.amazonaws.com | HTTPS | | US West (N. California) | us-west-1 | securitylake.us-west-1.amazonaws.com | HTTPS | | US West (Oregon) | us-west-2 | securitylake.us-west-2.amazonaws.com | HTTPS | | Asia Pacific (Mumbai) | ap-south-1 | securitylake.ap-south-1.amazonaws.com | HTTPS | | Asia Pacific (Seoul) | ap-northeast-2 | securitylake.ap-northeast-2.amazonaws.com | HTTPS | | Asia Pacific (Singapore) | ap-southeast-1 | securitylake.ap-southeast-1.amazonaws.com | HTTPS | | Asia Pacific (Sydney) | ap-southeast-2 | securitylake.ap-southeast-2.amazonaws.com | HTTPS | | Asia Pacific (Tokyo) | ap-northeast-1 | securitylake.ap-northeast-1.amazonaws.com | HTTPS | | Canada (Central) | ca-central-1 | securitylake.ca-central-1.amazonaws.com | HTTPS | | Europe (Frankfurt) | eu-central-1 | securitylake.eu-central-1.amazonaws.com | HTTPS | | Europe (Ireland) | eu-west-1 | securitylake.eu-west-1.amazonaws.com | HTTPS | | Europe (London) | eu-west-2 | securitylake.eu-west-2.amazonaws.com | HTTPS | | Europe (Paris) | eu-west-3 | securitylake.eu-west-3.amazonaws.com | HTTPS | | Europe (Stockholm) | eu-north-1 | securitylake.eu-north-1.amazonaws.com | HTTPS | | South America (São Paulo) | sa-east-1 | securitylake.sa-east-1.amazonaws.com | HTTPS | # Querying raw logs in Detective After you integrate Detective with Security Lake, Detective begins pulling raw logs from Security Lake related to AWS CloudTrail management events and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs. **Note** There are no additional charges to query raw logs in Detective. Usage charges for other AWS Services, including Amazon Athena, still apply at published rates. AWS CloudTrail management events are available for the following profiles: + AWS account + AWS user + AWS role + AWS role Session + Amazon EC2 instance + Amazon S3 bucket + IP address + Kubernetes cluster + Kubernetes pod + Kubernetes subject + IAM role + IAM role session + IAM user Amazon VPC FLow Logs are available for the following profiles: + Amazon EC2 instance + Kubernetes pod For a demonstration of how to use Amazon Detective with Amazon Security Lake using the Detective console, watch the following video: [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/A_EWd2lvVW0/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/A_EWd2lvVW0) **To query raw logs for an AWS account** 1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 1. In the navigation pane, choose **Search** and search for an `AWS account`. 1. In the **Overall API call volume** section, choose **display details for scope time**. 1. From here, you can start to **Query raw logs**. ![\[In the Raw log preview table, you can view the logs and events retrieved by querying data from Security Lake. For more details about the raw event logs, you can view the data displayed in Amazon Athena.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/query-raw-logs-awsaccount.png) In the **Raw log preview** table, you can view the logs and events retrieved by querying data from Security Lake. For more details about the raw event logs, you can view the data displayed in Amazon Athena. ![\[In the Raw log preview table, you can view the logs and events retrieved by querying data from Security Lake. For more details about the raw event logs, you can view the data displayed in Amazon Athena.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/query-raw-log-table.png) From the Query raw logs table, you can **Cancel query request**, **See results in Amazon Athena**, and **Download results** as a comma-separated values (.csv) file. If you see logs in Detective, but the query returned no results, it could happen because of the following reasons. + Raw logs may become available in Detective before showing up in Security Lake log tables. Try again later. + Logs may be missing from Security Lake. If you waited for an extended period of time, it indicates that logs are missing from Security Lake. Contact your Security Lake administrator to resolve the issue. **Topics** + [ ## Querying raw logs for an AWS role ](#query-log-geo-location) + [ ## Querying raw logs for an Amazon EKS cluster ](#query-log-eks-cluster) + [ ## Querying raw logs for an Amazon EC2 instance ](#query-log-vpc) ## Querying raw logs for an AWS role If you want to understand the activity of an AWS role in a new geolocation, you can do so within the Detective console. **To query raw logs for an AWS role** 1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 1. From the Detective **Summary** page **Newly observed geolocations** section, note down the AWS role. 1. In the navigation pane, choose **Search** and search for the `AWS role`. 1. For the AWS role, expand the resource to display the specific API calls that were issued from that IP address by that resource. 1. Choose the magnifier icon next to the API call that you want to investigate to open the **Raw log preview** table. ![\[In the Raw log preview table, you can view the logs and events retrieved by querying data from Security Lake. For more details about the raw event logs, you can view the data displayed in Amazon Athena.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/query-raw-logs-awsrole.png) ## Querying raw logs for an Amazon EKS cluster 1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 1. From the Detective **Summary** page **Container clusters with the most pods created** section, navigate to an Amazon EKS cluster. 1. In the **Amazon EKS cluster details** page, select the **Kubernetes API activity** tab. 1. In the **Overall Kubernetes API activity involving this Amazon EKS cluster** section, choose **display details for scope time**. 1. From here, you can start to **Query raw logs**. ## Querying raw logs for an Amazon EC2 instance 1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 1. In the navigation pane, choose **Search** and search for an `Amazon EC2 instance`. 1. In the **Overall VPC Flow volume** section, choose the magnifier icon next to the API call that you want to investigate to open the **Raw log preview** table. 1. From here, you can start to **Query raw logs**. ![\[In the Raw log preview table, you can view the logs and events retrieved by querying data from Security Lake. For more details about the raw event logs, you can view the data displayed in Amazon Athena.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/query-raw-log-vpc.png) In the **Raw log preview** table, you can view the logs and events retrieved by querying data from Security Lake. For more details about the raw event logs, you can view the data displayed in Amazon Athena. From the Query raw logs table, you can **Cancel query request**, **See results in Amazon Athena**, and **Download results** as a comma-separated values (.csv) file. # Disabling Detective integration with Security Lake Disabling the integration If you disable Detective integration with Security Lake, you can no longer query log and event data from Security Lake. **To disable Detective integration with Security Lake** 1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/). 1. In the navigation pane, choose **Integrations**. 1. Delete the existing stack. For more details, see [Deleting a CloudFormation stack](#delete-stack). 1. In the **Disable Security Lake integration** pane, choose **Disable**. ## Deleting a CloudFormation stack If you do not delete the existing stack, new stack creation in the same Region will fail. You can delete a CloudFormation stack by using the CloudFormation console or use the AWS CLI. **To delete the CloudFormation stack (Console)** 1. Open the AWS CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/). 1. On the **Stacks** page in the CloudFormation console, select the stack that you want to delete. The stack must be currently running. 1. In the stack details pane, choose **Delete**. 1. Select **Delete stack** when prompted. **Note** The stack deletion operation can't be stopped once the stack deletion has begun. The stack proceeds to the `DELETE_IN_PROGRESS` state. After the stack deletion is complete, the stack will be in the `DELETE_COMPLETE` state. **Troubleshooting stack deletion errors** If you are seeing a permission error with the message `Failed to delete stack` after clicking the `Delete` button, your IAM role doesn't have CloudFormation permission to delete a stack. Contact your account administrator to delete the stack. **To delete the CloudFormation stack (AWS CLI)** Enter the following command in the AWS CLI interface: ``` aws cloudformation delete-stack --stack-name your-stack-name --role-arn arn:aws:iam:::role/CFN-DetectiveSecurityLakeIntegration ``` `CFN-DetectiveSecurityLakeIntegration` is the service role that you created in the `Creating an AWS CloudFormation Service Role` step.