This feature is not yet generally available.



From the AWS document What is Amazon Security Lake? :

Amazon Security Lake is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from AWS and third-party sources into a data lake that's stored in your AWS account. Security Lake helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization.

Aqua can be integrated with Amazon Security Lake as a custom source to send audit events, which you can subsequently see in the AWS S3 bucket integrated with Security Lake. The same audit data can be used by the subscribers of Amazon Security Lake such as Datadog and Splunk. 

The audit events data sent by Aqua will be converted to the OCSF (Open Cybersecurity Schema Framework) schema in the Apache Parquet format, which can be used by the subscribers of Amazon Security Lake. 

Note: Aqua currently supports sending audit events of types: Container Runtime and CVE to Amazon Security Lake. Support for additional types of audit events will be added in the future. 

This integration creates the custom source: aqua-security-finding to store audit events of types: “Container Runtime” and “CVE”.

The following diagram shows an example of how the audit events data sent by Aqua is processed in Amazon Security Lake and stored in the integrated S3 bucket: 

Key Terms: 

Integrate with Amazon Security Lake

Create Aqua custom sources in AWS Security Lake

  1. In the Aqua UI: Navigate to Administration > Integrations > Log Management
  2. Select Amazon Security Lake.

  3. If the greyed-out word "Disabled" is visible, click on it to enable the integration. 
  4. Copy the script from the Aqua UI Step 1 and run it in the AWS CloudShell command prompt of type Bash shell (for more information, refer to Working with AWS CloudShell). This step creates custom sources from Aqua in Amazon Security Lake. 
  5. In the AWS CloudShell command prompt, enter the following details: 
    • AWS Account ID: Your AWS account ID where Amazon Security Lake is deployed
    • ARN of IAM Role which has permissions to Invoke Glue. For more information on these permissions and creating IAM Role and Policy, refer to Setting up IAM permissions for AWS Glue.

  6. Navigate to Amazon Security Lake and select Custom sources. You can see that Aqua’s custom source: aqua-security-finding is created.

Allow Aqua to send audit events to Amazon Security Lake

  1. In the Aqua UI step 2: Enter the AWS Region of Amazon Security Lake with which you want to integrate Aqua. 
  2. In the Aqua UI step 3: Click Launch Stack. The Quick create stack page appears. Values for most of the fields in the page are populated automatically; do not modify these values. 
  3. In the Quick create stack page, enter the following details:
    • Glue Invocation Role ARN: To get the Role ARN: In the Amazon console > Identity and Access Management (IAM) > Roles page, select the required role that you have already created with Glue invocation permissions, and get the ARN. For more information, refer to Finding Amazon Resource Names (ARNs).
    • Security Lake S3 Bucket:  To get the S3 bucket name: In the Amazon console > Amazon S3 > Buckets page, select the required S3 bucket where you want to store Aqua’s audit events and get the S3 bucket name.
  4. Select the Acknowledgement checkbox. 
  5. Click Create Stack. You can see that a new stack has been created.

  6. In the Stack detailed view, click the Outputs tab.
  7. Copy the values of Aqua Event Bridge Bus ARN and Aqua Role ARN.

  8. In the Aqua UI step 4: Enter the values (copied above) in the Role ARN and Event Bridge ARN fields, respectively.
  9. Click Test Connection to check that the link to the service is working.
  10. Click Save. This integration will allow Aqua to send audit events to the AWS S3 bucket integrated with Amazon Security Lake.


In the Administration > Integrations > Log Management page > AWS Security Lake widget, you can see that it is Enabled.

View Aqua audit events in Amazon Security Lake

  1. Navigate to the AWS S3 bucket which is used in the Security Lake integration with Aqua.
  2. In the Objects tab, navigate to ext/ > custom-source (“aqua-security-finding” selected in the screenshot below) > your current AWS region > your account ID > an event hour through the folder structure. You can see a different file for each audit event of the specific type (security finding is shown below) sent by Aqua in a given hour.

  3. Click any file to see the Aqua audit event.
  4. In the Properties tab > Object actions menu, select Query with S3 Select.

  5. In the Query with S3 Select page, select the following settings, and click Run SQL query.
    • Input settings: Apache Parquet
    • Output settings: JSON

You can see the details of the audit event sent by Aqua in the Query results.

For more information, refer to the Amazon document Filtering and retrieving data using Amazon S3 Select

Subscribers of Amazon Security Lake, such as Datadog and Splunk, can access Aqua audit events data.