This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityLake::DataLake Initializes an Amazon Security Lake instance with the provided (or default) configuration. You can enable Security Lake in AWS Regions with customized settings before enabling log collection in Regions. To specify particular Regions, configure these Regions using the `configurations` parameter. If you have already enabled Security Lake in a Region when you call this command, the command will update the Region if you provide new configuration parameters. If you have not already enabled Security Lake in the Region when you call this API, it will set up the data lake in the Region with the specified configurations. When you enable Security Lake, it starts ingesting security data after the `CreateAwsLogSource` call. This includes ingesting security data from sources, storing data, and making data accessible to subscribers. Security Lake also enables all the existing settings and resources that it stores or maintains for your AWS account in the current Region, including security log and event data. For more information, see the [Amazon Security Lake User Guide](https://docs.aws.amazon.com//security-lake/latest/userguide/what-is-security-lake.html). **Important** If you use this template to create multiple data lakes in different AWS Regions, and more than one of your data lakes include an [AWS::SecurityLake::AwsLogSource](/AWSCloudFormation/latest/UserGuide/aws-resource-securitylake-awslogsource.html) resource, then you must deploy these data lakes sequentially. This is required because data lakes operate globally, and `AwsLogSource` resources must be deployed one at a time. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityLake::DataLake", "Properties" : { "[EncryptionConfiguration](#cfn-securitylake-datalake-encryptionconfiguration)" : EncryptionConfiguration, "[LifecycleConfiguration](#cfn-securitylake-datalake-lifecycleconfiguration)" : LifecycleConfiguration, "[MetaStoreManagerRoleArn](#cfn-securitylake-datalake-metastoremanagerrolearn)" : String, "[ReplicationConfiguration](#cfn-securitylake-datalake-replicationconfiguration)" : ReplicationConfiguration, "[Tags](#cfn-securitylake-datalake-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::SecurityLake::DataLake Properties: [EncryptionConfiguration](#cfn-securitylake-datalake-encryptionconfiguration): EncryptionConfiguration [LifecycleConfiguration](#cfn-securitylake-datalake-lifecycleconfiguration): LifecycleConfiguration [MetaStoreManagerRoleArn](#cfn-securitylake-datalake-metastoremanagerrolearn): String [ReplicationConfiguration](#cfn-securitylake-datalake-replicationconfiguration): ReplicationConfiguration [Tags](#cfn-securitylake-datalake-tags): - Tag ``` ## Properties `EncryptionConfiguration` Provides encryption details of the Amazon Security Lake object. *Required*: No *Type*: [EncryptionConfiguration](aws-properties-securitylake-datalake-encryptionconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LifecycleConfiguration` You can customize Security Lake to store data in your preferred AWS Regions for your preferred amount of time. Lifecycle management can help you comply with different compliance requirements. For more details, see [Lifecycle management](https://docs.aws.amazon.com//security-lake/latest/userguide/lifecycle-management.html) in the Amazon Security Lake User Guide. *Required*: No *Type*: [LifecycleConfiguration](aws-properties-securitylake-datalake-lifecycleconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MetaStoreManagerRoleArn` The Amazon Resource Name (ARN) used to create and update the AWS Glue table. This table contains partitions generated by the ingestion and normalization of AWS log sources and custom sources. *Required*: No *Type*: String *Pattern*: `^arn:.*$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ReplicationConfiguration` Provides replication details of Amazon Security Lake object. *Required*: No *Type*: [ReplicationConfiguration](aws-properties-securitylake-datalake-replicationconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An array of objects, one for each tag to associate with the data lake configuration. For each tag, you must specify both a tag key and a tag value. A tag value cannot be null, but it can be an empty string. *Required*: No *Type*: Array of [Tag](aws-properties-securitylake-datalake-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `ref` function, `ref` returns the `DataLake` name. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` The Amazon Resource Name (ARN) of the data lake. `S3BucketArn` The Amazon Resource Name (ARN) of the Amazon S3 bucket. ## Examples **Topics** + [Enable Security Lake in two accounts for three log sources](#aws-resource-securitylake-datalake--examples--Enable_in_two_accounts_for_three_log_sources) + [Enable Security Lake in all accounts for three log sources](#aws-resource-securitylake-datalake--examples--Enable_in_all_accounts_for_three_log_sources) + [Deploys a contributing Security Lake Region](#aws-resource-securitylake-datalake--examples--Deploys_a_contributing_Security_Lake_Region) + [Configure with KMS](#aws-resource-securitylake-datalake--examples--Configure_with_KMS) ### Enable Security Lake in two accounts for three log sources #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources, this can be used as a rollup region.", "Parameters": { "RoleName": { "Type": "String", "Default": "Provide a name if Security Lake has not been enabled from console", "Description": "Prefix for role name with managed policy" }, "Account1": { "Type": "String", "Default": "Enter an account for Security Lake to enable log sources", "Description": "Account number to enable logs" }, "Account2": { "Type": "String", "Default": "Enter another account for Security Lake to enable log sources", "Description": "Account number n to enable logs" } }, "Resources": { "AmazonSecurityLakeMetaStoreManagerRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${RoleName}-SecurityLakeMetasStoreManager" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager" ] } }, "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } } ``` #### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS and two sources, this can be used as a rollup region. Parameters: RoleName: Type: String Default: Provide a name if Security Lake has not been enabled from console Description: Prefix for role name with managed policy Account1: Type: String Default: Enter an account for Security Lake to enable log sources Description: Account number to enable logs Account2: Type: String Default: Enter another account for Security Lake to enable log sources Description: Account number n to enable logs Resources: AmazonSecurityLakeMetaStoreManagerRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: ${RoleName}-SecurityLakeMetasStoreManager AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: "2.0" DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: "2.0" DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: "2.0" DependsOn: SecurityLakeSourcesSecurityHub ``` ### Enable Security Lake in all accounts for three log sources #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources. This can be used as a centralized Region.", "Parameters": { "RoleName": { "Type": "String", "Default": "Provide a name if Security Lake has not been enabled from console", "Description": "Prefix for role name with managed policy" }, }, "Resources": { "AmazonSecurityLakeMetaStoreManagerRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${RoleName}-SecurityLakeMetasStoreManager" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager" ] } }, "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } } ``` #### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS on three sources and all accounts. This can be used as a centralized Region. Parameters: RoleName: Type: String Default: Provide a name if Security Lake has not been enabled from console Description: Prefix for role name with managed policy Resources: AmazonSecurityLakeMetaStoreManagerRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: ${RoleName}-SecurityLakeMetasStoreManager AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: "2.0" DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: "2.0" DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: "2.0" DependsOn: SecurityLakeSourcesSecurityHub ``` ### Deploys a contributing Security Lake Region Enables Security lake in two accounts for three logs sources as a contributing Region. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Description": "Creates Security Lake with NO KMS and two sources, replicates to one region.", "Parameters": { "Account1": { "Type": "String", "Default": "Enter an account for Security Lake to enable log sources", "Description": "Account number to enable logs" }, "Account2": { "Type": "String", "Default": "Enter another account for Security Lake to enable log sources", "Description": "Account number n to enable logs" }, "ReplicationRegionDestination": { "Type": "String", "Default": "Enter destination region", "Description": "Centralized destination region" }, "MetaStoreRoleArn": { "Type": "String", "Default": "Security Lake Metastore Manager Role", "Description": "arn for AWS Security Lake Metastore Manager Role" }, "ReplicationRoleArn": { "Type": "String", "Default": "Replication Role ARN", "Description": "Replication role arn that supports rollup to destination region" } }, "Resources": { "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Ref": "MetaStoreRoleArn" }, "ReplicationConfiguration": { "Regions": [ { "Ref": "ReplicationRegionDestination" } ], "RoleArn": "arn:aws:iam::123456789123:role/SecurityLake-Replication-Role" } } }, "SecurityLakeSourcesRoute53": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "ROUTE53", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeEnablement" }, "SecurityLakeSourcesSecurityHub": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "SH_FINDINGS", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesRoute53" }, "SecurityLakeSourcesS3": { "Type": "AWS::SecurityLake::AwsLogSource", "Properties": { "Accounts": [ { "Ref": "Account1" }, { "Ref": "Account2" } ], "DataLakeArn": { "Fn::GetAtt": [ "SecurityLakeEnablement", "Arn" ] }, "SourceName": "S3_DATA", "SourceVersion": "2.0" }, "DependsOn": "SecurityLakeSourcesSecurityHub" } } } ``` #### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Creates Security Lake with NO KMS and two sources, replicates to one region. Parameters: Account1: Type: String Default: Enter an account for Security Lake to enable log sources Description: Account number to enable logs Account2: Type: String Default: Enter another account for Security Lake to enable log sources Description: Account number n to enable logs ReplicationRegionDestination: Type: String Default: Enter destination region Description: Centralized destination region MetaStoreRoleArn: Type: String Default: Security Lake Metastore Manager Role Description: arn for AWS Security Lake Metastore Manager Role ReplicationRoleArn: Type: String Default: Replication Role ARN Description: Replication role arn that supports rollup to destination region Resources: SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Ref: MetaStoreRoleArn ReplicationConfiguration: Regions: - Ref: ReplicationRegionDestination RoleArn: arn:aws:iam::123456789123:role/SecurityLake-Replication-Role SecurityLakeSourcesRoute53: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: ROUTE53 SourceVersion: "2.0" DependsOn: SecurityLakeEnablement SecurityLakeSourcesSecurityHub: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: SH_FINDINGS SourceVersion: "2.0" DependsOn: SecurityLakeSourcesRoute53 SecurityLakeSourcesS3: Type: AWS::SecurityLake::AwsLogSource Properties: Accounts: - Ref: Account1 - Ref: Account2 DataLakeArn: Fn::GetAtt: - SecurityLakeEnablement - Arn SourceName: S3_DATA SourceVersion: "2.0" DependsOn: SecurityLakeSourcesSecurityHub ``` ### Configure with KMS For each Region add the encryption configuration parameter and assign respective KMS ARN for your Region. #### JSON ``` { "SecurityLakeEnablement": { "Type": "AWS::SecurityLake::DataLake", "Properties": { "MetaStoreManagerRoleArn": { "Fn::GetAtt": [ "AmazonSecurityLakeMetaStoreManagerRole", "Arn" ] }, "EncryptionConfiguration": { "KmsKeyId": { "Ref": "KmsArn" } } } } } ``` #### YAML ``` SecurityLakeEnablement: Type: AWS::SecurityLake::DataLake Properties: MetaStoreManagerRoleArn: Fn::GetAtt: - AmazonSecurityLakeMetaStoreManagerRole - Arn EncryptionConfiguration: KmsKeyId: Ref: KmsArn ``` # AWS::SecurityLake::DataLake EncryptionConfiguration Provides encryption details of the Amazon Security Lake object. The AWS shared responsibility model applies to data protection in Amazon Security Lake. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. For more details, see [Data protection](https://docs.aws.amazon.com//security-lake/latest/userguide/data-protection.html) in the Amazon Security Lake User Guide. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[KmsKeyId](#cfn-securitylake-datalake-encryptionconfiguration-kmskeyid)" : String } ``` ### YAML ``` [KmsKeyId](#cfn-securitylake-datalake-encryptionconfiguration-kmskeyid): String ``` ## Properties `KmsKeyId` The ID of KMS encryption key used by Amazon Security Lake to encrypt the Security Lake object. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::DataLake Expiration Provides data expiration details of the Amazon Security Lake object. You can specify your preferred Amazon S3 storage class and the time period for S3 objects to stay in that storage class before they expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Days](#cfn-securitylake-datalake-expiration-days)" : Integer } ``` ### YAML ``` [Days](#cfn-securitylake-datalake-expiration-days): Integer ``` ## Properties `Days` The number of days before data expires in the Amazon Security Lake object. *Required*: No *Type*: Integer *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::DataLake LifecycleConfiguration Provides lifecycle details of Amazon Security Lake object. To manage your data so that it is stored cost effectively, you can configure retention settings for the data. You can specify your preferred Amazon S3 storage class and the time period for Amazon S3 objects to stay in that storage class before they transition to a different storage class or expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide*. In Security Lake, you specify retention settings at the Region level. For example, you might choose to transition all S3 objects in a specific AWS Region to the `S3 Standard-IA` storage class 30 days after they're written to the data lake. The default Amazon S3 storage class is S3 Standard. **Important** Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets are created, S3 Object Lock is disabled by default. Enabling S3 Object Lock with default retention mode interrupts the delivery of normalized log data to the data lake. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Expiration](#cfn-securitylake-datalake-lifecycleconfiguration-expiration)" : Expiration, "[Transitions](#cfn-securitylake-datalake-lifecycleconfiguration-transitions)" : [ Transitions, ... ] } ``` ### YAML ``` [Expiration](#cfn-securitylake-datalake-lifecycleconfiguration-expiration): Expiration [Transitions](#cfn-securitylake-datalake-lifecycleconfiguration-transitions): - Transitions ``` ## Properties `Expiration` Provides data expiration details of the Amazon Security Lake object. *Required*: No *Type*: [Expiration](aws-properties-securitylake-datalake-expiration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Transitions` Provides data storage transition details of Amazon Security Lake object. By configuring these settings, you can specify your preferred Amazon S3 storage class and the time period for S3 objects to stay in that storage class before they transition to a different storage class. *Required*: No *Type*: [Array](aws-properties-securitylake-datalake-transitions.md) of [Transitions](aws-properties-securitylake-datalake-transitions.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::DataLake ReplicationConfiguration Provides replication configuration details for objects stored in the Amazon Security Lake data lake. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Regions](#cfn-securitylake-datalake-replicationconfiguration-regions)" : [ String, ... ], "[RoleArn](#cfn-securitylake-datalake-replicationconfiguration-rolearn)" : String } ``` ### YAML ``` [Regions](#cfn-securitylake-datalake-replicationconfiguration-regions): - String [RoleArn](#cfn-securitylake-datalake-replicationconfiguration-rolearn): String ``` ## Properties `Regions` Specifies one or more centralized rollup Regions. The AWS Region specified in the region parameter of the `CreateDataLake` or `UpdateDataLake` operations contributes data to the rollup Region or Regions specified in this parameter. Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. S3 buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different Regions or within the same Region as the source bucket. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RoleArn` Replication settings for the Amazon S3 buckets. This parameter uses the AWS Identity and Access Management (IAM) role you created that is managed by Security Lake, to ensure the replication setting is correct. *Required*: No *Type*: String *Pattern*: `^arn:.*$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::DataLake Tag A *tag* is a label that you can define and associate with AWS resources, including certain types of Amazon Security Lake resources. Tags can help you identify, categorize, and manage resources in different ways, such as by owner, environment, or other criteria. You can associate tags with the following types of Security Lake resources: subscribers, and the data lake configuration for your AWS account in individual AWS Regions. A resource can have up to 50 tags. Each tag consists of a required *tag key* and an associated *tag value*. A *tag key* is a general label that acts as a category for a more specific tag value. Each tag key must be unique and it can have only one tag value. A *tag value* acts as a descriptor for a tag key. Tag keys and values are case sensitive. They can contain letters, numbers, spaces, or the following symbols: \$1 . : / = \$1 @ - For more information, see [Tagging Amazon Security Lake resources](https://docs.aws.amazon.com//security-lake/latest/userguide/tagging-resources.html) in the *Amazon Security Lake User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-securitylake-datalake-tag-key)" : String, "[Value](#cfn-securitylake-datalake-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-securitylake-datalake-tag-key): String [Value](#cfn-securitylake-datalake-tag-value): String ``` ## Properties `Key` The name of the tag. This is a general label that acts as a category for a more specific tag value (`value`). *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value that’s associated with the specified tag key (`key`). This value acts as a descriptor for the tag key. A tag value cannot be null, but it can be an empty string. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::DataLake Transitions Provides transition lifecycle details of the Amazon Security Lake object. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Days](#cfn-securitylake-datalake-transitions-days)" : Integer, "[StorageClass](#cfn-securitylake-datalake-transitions-storageclass)" : String } ``` ### YAML ``` [Days](#cfn-securitylake-datalake-transitions-days): Integer [StorageClass](#cfn-securitylake-datalake-transitions-storageclass): String ``` ## Properties `Days` The number of days before data transitions to a different S3 Storage Class in the Amazon Security Lake object. *Required*: No *Type*: Integer *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StorageClass` The list of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. The default storage class is **S3 Standard**. For information about other storage classes, see [Setting the storage class of an object](https://docs.aws.amazon.com/AmazonS3/latest/userguide/sc-howtoset.html) in the *Amazon S3 User Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)