This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityLake::Subscriber Creates a subscriber for accounts that are already enabled in Amazon Security Lake. You can create a subscriber with access to data in the current AWS Region. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityLake::Subscriber", "Properties" : { "[AccessTypes](#cfn-securitylake-subscriber-accesstypes)" : [ String, ... ], "[DataLakeArn](#cfn-securitylake-subscriber-datalakearn)" : String, "[Sources](#cfn-securitylake-subscriber-sources)" : [ Source, ... ], "[SubscriberDescription](#cfn-securitylake-subscriber-subscriberdescription)" : String, "[SubscriberIdentity](#cfn-securitylake-subscriber-subscriberidentity)" : SubscriberIdentity, "[SubscriberName](#cfn-securitylake-subscriber-subscribername)" : String, "[Tags](#cfn-securitylake-subscriber-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::SecurityLake::Subscriber Properties: [AccessTypes](#cfn-securitylake-subscriber-accesstypes): - String [DataLakeArn](#cfn-securitylake-subscriber-datalakearn): String [Sources](#cfn-securitylake-subscriber-sources): - Source [SubscriberDescription](#cfn-securitylake-subscriber-subscriberdescription): String [SubscriberIdentity](#cfn-securitylake-subscriber-subscriberidentity): SubscriberIdentity [SubscriberName](#cfn-securitylake-subscriber-subscribername): String [Tags](#cfn-securitylake-subscriber-tags): - Tag ``` ## Properties `AccessTypes` You can choose to notify subscribers of new objects with an Amazon Simple Queue Service (Amazon SQS) queue or through messaging to an HTTPS endpoint provided by the subscriber. Subscribers can consume data by directly querying AWS Lake Formation tables in your Amazon S3 bucket through services like Amazon Athena. This subscription type is defined as `LAKEFORMATION`. *Required*: Yes *Type*: Array of String *Allowed values*: `LAKEFORMATION | S3` *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DataLakeArn` The Amazon Resource Name (ARN) used to create the data lake. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Sources` Amazon Security Lake supports log and event collection for natively supported AWS services. For more information, see the [Amazon Security Lake User Guide](https://docs.aws.amazon.com//security-lake/latest/userguide/source-management.html). *Required*: Yes *Type*: Array of [Source](aws-properties-securitylake-subscriber-source.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubscriberDescription` The subscriber descriptions for a subscriber account. The description for a subscriber includes `subscriberName`, `accountID`, `externalID`, and `subscriberId`. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubscriberIdentity` The AWS identity used to access your data. *Required*: Yes *Type*: [SubscriberIdentity](aws-properties-securitylake-subscriber-subscriberidentity.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubscriberName` The name of your Amazon Security Lake subscriber account. *Required*: Yes *Type*: String *Pattern*: `^[\\\w\s\-_:/,.@=+]*$` *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An array of objects, one for each tag to associate with the subscriber. For each tag, you must specify both a tag key and a tag value. A tag value cannot be null, but it can be an empty string. *Required*: No *Type*: Array of [Tag](aws-properties-securitylake-subscriber-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `ref` function, `ref` returns the `Subscriber` name. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `ResourceShareArn` The Amazon Resource Name (ARN) of the Amazon Security Lake subscriber. `ResourceShareName` The ARN name of the Amazon Security Lake subscriber. `S3BucketArn` The Amazon Resource Name (ARN) of the S3 bucket. `SubscriberArn` The Amazon Resource Name (ARN) of the Security Lake subscriber. `SubscriberRoleArn` The Amazon Resource Name (ARN) of the role used to create the Security Lake subscriber. # AWS::SecurityLake::Subscriber AwsLogSource Adds a natively supported AWS service as an Amazon Security Lake source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[SourceName](#cfn-securitylake-subscriber-awslogsource-sourcename)" : String, "[SourceVersion](#cfn-securitylake-subscriber-awslogsource-sourceversion)" : String } ``` ### YAML ``` [SourceName](#cfn-securitylake-subscriber-awslogsource-sourcename): String [SourceVersion](#cfn-securitylake-subscriber-awslogsource-sourceversion): String ``` ## Properties `SourceName` Source name of the natively supported AWS service that is supported as an Amazon Security Lake source. For the list of sources supported by Amazon Security Lake see [Collecting data from AWS services](https://docs.aws.amazon.com//security-lake/latest/userguide/internal-sources.html) in the Amazon Security Lake User Guide. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceVersion` Source version of the natively supported AWS service that is supported as an Amazon Security Lake source. For more details about source versions supported by Amazon Security Lake see [OCSF source identification](https://docs.aws.amazon.com//security-lake/latest/userguide/open-cybersecurity-schema-framework.html#ocsf-source-identification) in the Amazon Security Lake User Guide. *Required*: No *Type*: String *Pattern*: `^(latest|[0-9]\.[0-9])$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::Subscriber CustomLogSource Third-party custom log source that meets the requirements to be added to Amazon Security Lake. For more details, see [Custom log source](https://docs.aws.amazon.com//security-lake/latest/userguide/custom-sources.html#iam-roles-custom-sources) in the *Amazon Security Lake User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[SourceName](#cfn-securitylake-subscriber-customlogsource-sourcename)" : String, "[SourceVersion](#cfn-securitylake-subscriber-customlogsource-sourceversion)" : String } ``` ### YAML ``` [SourceName](#cfn-securitylake-subscriber-customlogsource-sourcename): String [SourceVersion](#cfn-securitylake-subscriber-customlogsource-sourceversion): String ``` ## Properties `SourceName` The name of the custom log source. *Required*: No *Type*: String *Pattern*: `^[\\\w\-_:/.]*$` *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceVersion` The source version of the custom log source. *Required*: No *Type*: String *Pattern*: `^[A-Za-z0-9\-\.\_]*$` *Minimum*: `1` *Maximum*: `32` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::Subscriber Source Sources are logs and events generated from a single system that match a specific event class in the Open Cybersecurity Schema Framework (OCSF) schema. Amazon Security Lake can collect logs and events from a variety of sources, including natively supported AWS services and third-party custom sources. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AwsLogSource](#cfn-securitylake-subscriber-source-awslogsource)" : AwsLogSource, "[CustomLogSource](#cfn-securitylake-subscriber-source-customlogsource)" : CustomLogSource } ``` ### YAML ``` [AwsLogSource](#cfn-securitylake-subscriber-source-awslogsource): AwsLogSource [CustomLogSource](#cfn-securitylake-subscriber-source-customlogsource): CustomLogSource ``` ## Properties `AwsLogSource` The natively supported AWS service which is used a Amazon Security Lake source to collect logs and events from. *Required*: No *Type*: [AwsLogSource](aws-properties-securitylake-subscriber-awslogsource.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CustomLogSource` The custom log source AWS which is used a Amazon Security Lake source to collect logs and events from. *Required*: No *Type*: [CustomLogSource](aws-properties-securitylake-subscriber-customlogsource.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::Subscriber SubscriberIdentity Specify the AWS account ID and external ID that the subscriber will use to access source data. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ExternalId](#cfn-securitylake-subscriber-subscriberidentity-externalid)" : String, "[Principal](#cfn-securitylake-subscriber-subscriberidentity-principal)" : String } ``` ### YAML ``` [ExternalId](#cfn-securitylake-subscriber-subscriberidentity-externalid): String [Principal](#cfn-securitylake-subscriber-subscriberidentity-principal): String ``` ## Properties `ExternalId` The external ID is a unique identifier that the subscriber provides to you. *Required*: Yes *Type*: String *Pattern*: `^[\w+=,.@:/-]*$` *Minimum*: `2` *Maximum*: `1224` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Principal` Principals can include accounts, users, roles, federated users, or AWS services. *Required*: Yes *Type*: String *Pattern*: `^([0-9]{12}|[a-z0-9\.\-]*\.(amazonaws|amazon)\.com)$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityLake::Subscriber Tag A *tag* is a label that you can define and associate with AWS resources, including certain types of Amazon Security Lake resources. Tags can help you identify, categorize, and manage resources in different ways, such as by owner, environment, or other criteria. You can associate tags with the following types of Security Lake resources: subscribers, and the data lake configuration for your AWS account in individual AWS Regions. A resource can have up to 50 tags. Each tag consists of a required *tag key* and an associated *tag value*. A *tag key* is a general label that acts as a category for a more specific tag value. Each tag key must be unique and it can have only one tag value. A *tag value* acts as a descriptor for a tag key. Tag keys and values are case sensitive. They can contain letters, numbers, spaces, or the following symbols: \$1 . : / = \$1 @ - For more information, see [Tagging Amazon Security Lake resources](https://docs.aws.amazon.com//security-lake/latest/userguide/tagging-resources.html) in the *Amazon Security Lake User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-securitylake-subscriber-tag-key)" : String, "[Value](#cfn-securitylake-subscriber-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-securitylake-subscriber-tag-key): String [Value](#cfn-securitylake-subscriber-tag-value): String ``` ## Properties `Key` The name of the tag. This is a general label that acts as a category for a more specific tag value (`value`). *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value that’s associated with the specified tag key (`key`). This value acts as a descriptor for the tag key. A tag value cannot be null, but it can be an empty string. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)