2023/03/15 - Amazon Security Lake - 5 updated api methods
Changes Make Create/Get/ListSubscribers APIs return resource share ARN and name so they can be used to validate the RAM resource share to accept. GetDatalake can be used to track status of UpdateDatalake and DeleteDatalake requests.
{'resourceShareArn': 'string', 'resourceShareName': 'string'}
Creates a subscription permission for accounts that are already enabled in Amazon Security Lake. You can create a subscriber with access to data in the current Amazon Web Services Region.
See also: AWS API Documentation
Request Syntax
client.create_subscriber(
accessTypes=[
'LAKEFORMATION'|'S3',
],
accountId='string',
externalId='string',
sourceTypes=[
{
'awsSourceType': 'ROUTE53'|'VPC_FLOW'|'CLOUD_TRAIL'|'SH_FINDINGS',
'customSourceType': 'string'
},
],
subscriberDescription='string',
subscriberName='string'
)
list
The Amazon S3 or Lake Formation access type.
(string) --
string
[REQUIRED]
The Amazon Web Services account ID used to access your data.
string
[REQUIRED]
The external ID of the subscriber. This lets the user that is assuming the role assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances.
list
[REQUIRED]
The supported Amazon Web Services from which logs and events are collected. Security Lake supports log and event collection for natively supported Amazon Web Services.
(dict) --
The supported source types from which logs and events are collected in Amazon Security Lake. For the list of supported Amazon Web Services, see the Amazon Security Lake User Guide.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: awsSourceType, customSourceType.
awsSourceType (string) --
Amazon Security Lake supports log and event collection for natively supported Amazon Web Services.
customSourceType (string) --
Amazon Security Lake supports custom source types. For a detailed list, see the Amazon Security Lake User Guide.
string
The description for your subscriber account in Security Lake.
string
[REQUIRED]
The name of your Security Lake subscriber account.
dict
Response Syntax
{
'resourceShareArn': 'string',
'resourceShareName': 'string',
'roleArn': 'string',
's3BucketArn': 'string',
'snsArn': 'string',
'subscriptionId': 'string'
}
Response Structure
(dict) --
resourceShareArn (string) --
The Amazon Resource Name (ARN) which uniquely defines the AWS RAM resource share. Before accepting the RAM resource share invitation, you can view details related to the RAM resource share.
resourceShareName (string) --
The name of the resource share.
roleArn (string) --
The Amazon Resource Name (ARN) created by you to provide to the subscriber. For more information about ARNs and how to use them in policies, see Amazon Security Lake User Guide.
s3BucketArn (string) --
The ARN for the Amazon S3 bucket.
snsArn (string) --
The ARN for the Amazon Simple Notification Service.
subscriptionId (string) --
The subscriptionId created by the CreateSubscriber API call.
{'configurations': {'updateStatus': {'lastUpdateFailure': {'code': 'string',
'reason': 'string'},
'lastUpdateRequestId': 'string',
'lastUpdateStatus': 'INITIALIZED | '
'PENDING | COMPLETED '
'| FAILED'}}}
Retrieves the Amazon Security Lake configuration object for the specified Amazon Web Services account ID. You can use the GetDatalake API to know whether Security Lake is enabled for the current Region. This API does not take input parameters.
See also: AWS API Documentation
Request Syntax
client.get_datalake()
dict
Response Syntax
{
'configurations': {
'string': {
'encryptionKey': 'string',
'replicationDestinationRegions': [
'us-east-1'|'us-west-2'|'eu-central-1'|'us-east-2'|'eu-west-1'|'ap-northeast-1'|'ap-southeast-2',
],
'replicationRoleArn': 'string',
'retentionSettings': [
{
'retentionPeriod': 123,
'storageClass': 'STANDARD_IA'|'ONEZONE_IA'|'INTELLIGENT_TIERING'|'GLACIER_IR'|'GLACIER'|'DEEP_ARCHIVE'|'EXPIRE'
},
],
's3BucketArn': 'string',
'status': 'INITIALIZED'|'PENDING'|'COMPLETED'|'FAILED',
'tagsMap': {
'string': 'string'
},
'updateStatus': {
'lastUpdateFailure': {
'code': 'string',
'reason': 'string'
},
'lastUpdateRequestId': 'string',
'lastUpdateStatus': 'INITIALIZED'|'PENDING'|'COMPLETED'|'FAILED'
}
}
}
}
Response Structure
(dict) --
configurations (dict) --
Retrieves the Security Lake configuration object.
(string) --
(dict) --
Provides details of Amazon Security Lake lake configuration object.
encryptionKey (string) --
The type of encryption key used by secure the Security Lake configuration object.
replicationDestinationRegions (list) --
Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Amazon S3 buckets that are configured for object replication can be owned by the same Amazon Web Services account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different Amazon Web Services Regions or within the same Region as the source bucket.
Set up one or more rollup Regions by providing the Region or Regions that should contribute to the central rollup Region.
(string) --
replicationRoleArn (string) --
Replication settings for the Amazon S3 buckets. This parameter uses the IAM role you created that is managed by Security Lake, to ensure the replication setting is correct.
retentionSettings (list) --
Retention settings for the destination Amazon S3 buckets.
(dict) --
Retention settings for the destination Amazon S3 buckets in Amazon Security Lake.
retentionPeriod (integer) --
The retention period specifies a fixed period of time during which the Security Lake object remains locked. You can specify the retention period in days for one or more sources.
storageClass (string) --
The range of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads.
s3BucketArn (string) --
Amazon Resource Names (ARNs) uniquely identify Amazon Web Services resources. Security Lake requires an ARN when you need to specify a resource unambiguously across all of Amazon Web Services, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
status (string) --
Retrieves the status of the configuration operation for an account in Amazon Security Lake.
tagsMap (dict) --
A tag is a label that you assign to an Amazon Web Services resource. Each tag consists of a key and an optional value, both of which you define.
(string) --
(string) --
updateStatus (dict) --
The status of the last UpdateDatalake or DeleteDatalake API request.
lastUpdateFailure (dict) --
The details of the last UpdateDatalake or DeleteDatalake API request which failed.
code (string) --
The reason code for the failure of the last UpdateDatalake or DeleteDatalake API request.
reason (string) --
The reason for the failure of the last UpdateDatalake or DeleteDatalake API request.
lastUpdateRequestId (string) --
The unique ID for the UpdateDatalake or DeleteDatalake API request.
lastUpdateStatus (string) --
The status of the last UpdateDatalake or DeleteDatalake API request that was requested.
{'subscriber': {'resourceShareArn': 'string', 'resourceShareName': 'string'}}
Retrieves the subscription information for the specified subscription ID. You can get information about a specific subscriber.
See also: AWS API Documentation
Request Syntax
client.get_subscriber(
id='string'
)
string
[REQUIRED]
A value created by Amazon Security Lake that uniquely identifies your GetSubscriber API request.
dict
Response Syntax
{
'subscriber': {
'accessTypes': [
'LAKEFORMATION'|'S3',
],
'accountId': 'string',
'createdAt': datetime(2015, 1, 1),
'externalId': 'string',
'resourceShareArn': 'string',
'resourceShareName': 'string',
'roleArn': 'string',
's3BucketArn': 'string',
'snsArn': 'string',
'sourceTypes': [
{
'awsSourceType': 'ROUTE53'|'VPC_FLOW'|'CLOUD_TRAIL'|'SH_FINDINGS',
'customSourceType': 'string'
},
],
'subscriberDescription': 'string',
'subscriberName': 'string',
'subscriptionEndpoint': 'string',
'subscriptionId': 'string',
'subscriptionProtocol': 'HTTPS'|'SQS',
'subscriptionStatus': 'ACTIVE'|'DEACTIVATED'|'PENDING'|'READY',
'updatedAt': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
subscriber (dict) --
The subscription information for the specified subscription ID.
accessTypes (list) --
You can choose to notify subscribers of new objects with an Amazon Simple Queue Service (Amazon SQS) queue or through messaging to an HTTPS endpoint provided by the subscriber.
Subscribers can consume data by directly querying Lake Formation tables in your Amazon S3 bucket through services like Amazon Athena. This subscription type is defined as LAKEFORMATION .
(string) --
accountId (string) --
The Amazon Web Services account ID you are using to create your Amazon Security Lake account.
createdAt (datetime) --
The date and time when the subscription was created.
externalId (string) --
The external ID of the subscriber. The external ID lets the user that is assuming the role assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances.
resourceShareArn (string) --
The Amazon Resource Name (ARN) which uniquely defines the AWS RAM resource share. Before accepting the RAM resource share invitation, you can view details related to the RAM resource share.
This field is available only for Lake Formation subscribers created after March 8, 2023.
resourceShareName (string) --
The name of the resource share.
roleArn (string) --
The Amazon Resource Name (ARN) specifying the role of the subscriber.
s3BucketArn (string) --
The ARN for the Amazon S3 bucket.
snsArn (string) --
The ARN for the Amazon Simple Notification Service.
sourceTypes (list) --
Amazon Security Lake supports log and event collection for natively supported Amazon Web Services. For more information, see the Amazon Security Lake User Guide.
(dict) --
The supported source types from which logs and events are collected in Amazon Security Lake. For the list of supported Amazon Web Services, see the Amazon Security Lake User Guide.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: awsSourceType, customSourceType. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
awsSourceType (string) --
Amazon Security Lake supports log and event collection for natively supported Amazon Web Services.
customSourceType (string) --
Amazon Security Lake supports custom source types. For a detailed list, see the Amazon Security Lake User Guide.
subscriberDescription (string) --
The subscriber descriptions for a subscriber account. The description for a subscriber includes subscriberName , accountID , externalID , and subscriptionId .
subscriberName (string) --
The name of your Amazon Security Lake subscriber account.
subscriptionEndpoint (string) --
The subscription endpoint to which exception messages are posted.
subscriptionId (string) --
The subscription ID of the Amazon Security Lake subscriber account.
subscriptionProtocol (string) --
The subscription protocol to which exception messages are posted.
subscriptionStatus (string) --
The subscription status of the Amazon Security Lake subscriber account.
updatedAt (datetime) --
The date and time when the subscription was created.
{'subscribers': {'resourceShareArn': 'string', 'resourceShareName': 'string'}}
List all subscribers for the specific Amazon Security Lake account ID. You can retrieve a list of subscriptions associated with a specific organization or Amazon Web Services account.
See also: AWS API Documentation
Request Syntax
client.list_subscribers(
maxResults=123,
nextToken='string'
)
integer
The maximum number of accounts for which the configuration is displayed.
string
If nextToken is returned, there are more results available. You can repeat the call using the returned token to retrieve the next page.
dict
Response Syntax
{
'nextToken': 'string',
'subscribers': [
{
'accessTypes': [
'LAKEFORMATION'|'S3',
],
'accountId': 'string',
'createdAt': datetime(2015, 1, 1),
'externalId': 'string',
'resourceShareArn': 'string',
'resourceShareName': 'string',
'roleArn': 'string',
's3BucketArn': 'string',
'snsArn': 'string',
'sourceTypes': [
{
'awsSourceType': 'ROUTE53'|'VPC_FLOW'|'CLOUD_TRAIL'|'SH_FINDINGS',
'customSourceType': 'string'
},
],
'subscriberDescription': 'string',
'subscriberName': 'string',
'subscriptionEndpoint': 'string',
'subscriptionId': 'string',
'subscriptionProtocol': 'HTTPS'|'SQS',
'subscriptionStatus': 'ACTIVE'|'DEACTIVATED'|'PENDING'|'READY',
'updatedAt': datetime(2015, 1, 1)
},
]
}
Response Structure
(dict) --
nextToken (string) --
If nextToken is returned, there are more results available. You can repeat the call using the returned token to retrieve the next page.
subscribers (list) --
The subscribers available for the specified Security Lake account ID.
(dict) --
Provides details about the Amazon Security Lake account subscription. Subscribers are notified of new objects for a source as the data is written to your Amazon S3 bucket for Security Lake.
accessTypes (list) --
You can choose to notify subscribers of new objects with an Amazon Simple Queue Service (Amazon SQS) queue or through messaging to an HTTPS endpoint provided by the subscriber.
Subscribers can consume data by directly querying Lake Formation tables in your Amazon S3 bucket through services like Amazon Athena. This subscription type is defined as LAKEFORMATION .
(string) --
accountId (string) --
The Amazon Web Services account ID you are using to create your Amazon Security Lake account.
createdAt (datetime) --
The date and time when the subscription was created.
externalId (string) --
The external ID of the subscriber. The external ID lets the user that is assuming the role assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances.
resourceShareArn (string) --
The Amazon Resource Name (ARN) which uniquely defines the AWS RAM resource share. Before accepting the RAM resource share invitation, you can view details related to the RAM resource share.
This field is available only for Lake Formation subscribers created after March 8, 2023.
resourceShareName (string) --
The name of the resource share.
roleArn (string) --
The Amazon Resource Name (ARN) specifying the role of the subscriber.
s3BucketArn (string) --
The ARN for the Amazon S3 bucket.
snsArn (string) --
The ARN for the Amazon Simple Notification Service.
sourceTypes (list) --
Amazon Security Lake supports log and event collection for natively supported Amazon Web Services. For more information, see the Amazon Security Lake User Guide.
(dict) --
The supported source types from which logs and events are collected in Amazon Security Lake. For the list of supported Amazon Web Services, see the Amazon Security Lake User Guide.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: awsSourceType, customSourceType. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
awsSourceType (string) --
Amazon Security Lake supports log and event collection for natively supported Amazon Web Services.
customSourceType (string) --
Amazon Security Lake supports custom source types. For a detailed list, see the Amazon Security Lake User Guide.
subscriberDescription (string) --
The subscriber descriptions for a subscriber account. The description for a subscriber includes subscriberName , accountID , externalID , and subscriptionId .
subscriberName (string) --
The name of your Amazon Security Lake subscriber account.
subscriptionEndpoint (string) --
The subscription endpoint to which exception messages are posted.
subscriptionId (string) --
The subscription ID of the Amazon Security Lake subscriber account.
subscriptionProtocol (string) --
The subscription protocol to which exception messages are posted.
subscriptionStatus (string) --
The subscription status of the Amazon Security Lake subscriber account.
updatedAt (datetime) --
The date and time when the subscription was created.
{'subscriber': {'resourceShareArn': 'string', 'resourceShareName': 'string'}}
Updates an existing subscription for the given Amazon Security Lake account ID. You can update a subscriber by changing the sources that the subscriber consumes data from.
See also: AWS API Documentation
Request Syntax
client.update_subscriber(
externalId='string',
id='string',
sourceTypes=[
{
'awsSourceType': 'ROUTE53'|'VPC_FLOW'|'CLOUD_TRAIL'|'SH_FINDINGS',
'customSourceType': 'string'
},
],
subscriberDescription='string',
subscriberName='string'
)
string
The external ID of the Security Lake account.
string
[REQUIRED]
A value created by Security Lake that uniquely identifies your subscription.
list
[REQUIRED]
The supported Amazon Web Services from which logs and events are collected. For the list of supported Amazon Web Services, see the Amazon Security Lake User Guide.
(dict) --
The supported source types from which logs and events are collected in Amazon Security Lake. For the list of supported Amazon Web Services, see the Amazon Security Lake User Guide.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: awsSourceType, customSourceType.
awsSourceType (string) --
Amazon Security Lake supports log and event collection for natively supported Amazon Web Services.
customSourceType (string) --
Amazon Security Lake supports custom source types. For a detailed list, see the Amazon Security Lake User Guide.
string
The description of the Security Lake account subscriber.
string
The name of the Security Lake account subscriber.
dict
Response Syntax
{
'subscriber': {
'accessTypes': [
'LAKEFORMATION'|'S3',
],
'accountId': 'string',
'createdAt': datetime(2015, 1, 1),
'externalId': 'string',
'resourceShareArn': 'string',
'resourceShareName': 'string',
'roleArn': 'string',
's3BucketArn': 'string',
'snsArn': 'string',
'sourceTypes': [
{
'awsSourceType': 'ROUTE53'|'VPC_FLOW'|'CLOUD_TRAIL'|'SH_FINDINGS',
'customSourceType': 'string'
},
],
'subscriberDescription': 'string',
'subscriberName': 'string',
'subscriptionEndpoint': 'string',
'subscriptionId': 'string',
'subscriptionProtocol': 'HTTPS'|'SQS',
'subscriptionStatus': 'ACTIVE'|'DEACTIVATED'|'PENDING'|'READY',
'updatedAt': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
subscriber (dict) --
The account of the subscriber.
accessTypes (list) --
You can choose to notify subscribers of new objects with an Amazon Simple Queue Service (Amazon SQS) queue or through messaging to an HTTPS endpoint provided by the subscriber.
Subscribers can consume data by directly querying Lake Formation tables in your Amazon S3 bucket through services like Amazon Athena. This subscription type is defined as LAKEFORMATION .
(string) --
accountId (string) --
The Amazon Web Services account ID you are using to create your Amazon Security Lake account.
createdAt (datetime) --
The date and time when the subscription was created.
externalId (string) --
The external ID of the subscriber. The external ID lets the user that is assuming the role assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances.
resourceShareArn (string) --
The Amazon Resource Name (ARN) which uniquely defines the AWS RAM resource share. Before accepting the RAM resource share invitation, you can view details related to the RAM resource share.
This field is available only for Lake Formation subscribers created after March 8, 2023.
resourceShareName (string) --
The name of the resource share.
roleArn (string) --
The Amazon Resource Name (ARN) specifying the role of the subscriber.
s3BucketArn (string) --
The ARN for the Amazon S3 bucket.
snsArn (string) --
The ARN for the Amazon Simple Notification Service.
sourceTypes (list) --
Amazon Security Lake supports log and event collection for natively supported Amazon Web Services. For more information, see the Amazon Security Lake User Guide.
(dict) --
The supported source types from which logs and events are collected in Amazon Security Lake. For the list of supported Amazon Web Services, see the Amazon Security Lake User Guide.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: awsSourceType, customSourceType. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
awsSourceType (string) --
Amazon Security Lake supports log and event collection for natively supported Amazon Web Services.
customSourceType (string) --
Amazon Security Lake supports custom source types. For a detailed list, see the Amazon Security Lake User Guide.
subscriberDescription (string) --
The subscriber descriptions for a subscriber account. The description for a subscriber includes subscriberName , accountID , externalID , and subscriptionId .
subscriberName (string) --
The name of your Amazon Security Lake subscriber account.
subscriptionEndpoint (string) --
The subscription endpoint to which exception messages are posted.
subscriptionId (string) --
The subscription ID of the Amazon Security Lake subscriber account.
subscriptionProtocol (string) --
The subscription protocol to which exception messages are posted.
subscriptionStatus (string) --
The subscription status of the Amazon Security Lake subscriber account.
updatedAt (datetime) --
The date and time when the subscription was created.