by John Lukach
Amazon Security Lake should be the default solution for collecting and searching Route53 Query and VPC Flow logs. The savings for indirect staffing costs alone to manage the logging configurations is a quick win!
Add in some Athena and S3 costs for a price that is hard to beat.
However, as I use Security Lake more, there is a common bug where Athena searches successfully run but do not return any results. Both potential problems lie with the automatically generated Lambda deployed in each activated region.
First, the SQS Lambda Trigger for SecurityLake_us-east-2_MAIN_QUEUE_1_0 is not always enabled.
Second, the deployed Lambda does not receive the correct KMS grant. Swapping the role to a temporary one and back again has worked best.
Redrive SecurityLake_us-east-2_DLQ_1_0 messages from the dead-letter queue to resolve the Athena search result issue.tags: Amazon - Security - Lake