By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

create a Security Lake

0

Hello I'm trying to launch a security lake but I faced this error: “ An error occurred. The ARN specified for the AmazonSecurityLakeMetaStoreManager IAM role isn't valid. Check the ARN.

Any helpful advice?

Thank in advanceScreenshot for error

Topics
Security, Identity, & Compliance
Tags
Amazon Security Lake
Language
English
Abd
asked 6 months ago205 views
1 Answer
4

Hi,

According to your question, you got the error message related to AmazonSecurityLakeMetaStoreManager IAM role validation.

You can resolve the problem by creating IAM Role with same permission manually.

  1. Delete AmazonSecurityLakeMetaStoreManager IAM Role, which is created automatically in SecurityLake console.

  2. Create new IAM Role

  3. Choose "Custom Trust Policy" and write the policy below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambda",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  1. Skip "Add permissions" now (we will add it in step 6.)

  2. Name the policy - AmazonSecurityLakeMetaStoreManager and Create role

  3. Add permissions to the created Role(AmazonSecurityLakeMetaStoreManager) with Inline Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowWriteLambdaLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:log-group:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowCreateAwsCloudWatchLogGroup",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup"
      ],
      "Resource": [
        "arn:aws:logs:*:{{accountId}}:/aws/lambda/SecurityLake_Glue_Partition_Updater_Lambda*"
      ]
    },
    {
      "Sid": "AllowGlueManage",
      "Effect": "Allow",
      "Action": [
        "glue:CreatePartition",
        "glue:BatchCreatePartition"
      ],
      "Resource": [
        "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
        "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
        "arn:aws:glue:*:*:catalog"
      ]
    },
    {
      "Sid": "AllowToReadFromSqs",
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "arn:aws:sqs:*:{{accountId}}:SecurityLake*"
      ]
    }
  ]
}

Then, you can find that ARN changed arn:aws:iam::{{AccountID}}:role/service-role/AmazonSecurityLakeMetaStoreManager ->
arn:aws:iam::169306238242:role/AmazonSecurityLakeMetaStoreManager.

Now you can successfully create SecurityLake.

[+] Amazon Security Lake - Complete other Presiquites (AWS Documentation)(ENG)

If I have missed anything or answered wrong, please feel free to ask me again. Also you have any questions, comment please!

profile picture
Seongju_L
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content