Summary
Phase 6 (optional, compliance-grade). Normalize Coder audit events to OCSF and
land them in Amazon Security Lake, then enable Security Hub and Detective for
findings and investigation. Design: docs/plans/observability-aws-native.md.
Background and caveats
Security Lake and Detective APIs are available (verified read-only), but Security
Hub is not subscribed (securityhub describe-hub returns InvalidAccessException: not subscribed) and Detective has no graph yet. These must be enabled first.
This path is heavier than the Firehose to S3 to Athena archive and should be
adopted only if OCSF normalization and Security Hub/Detective are required.
Tasks
Acceptance criteria
- Coder audit events appear as OCSF records in Security Lake.
- A subscriber (Athena or Security Hub) can query normalized Coder events.
Notes
- Confirm GovCloud feature parity for Security Lake, Security Hub, and Detective
before committing; mark any gaps discovered during build.
Generated by Coder Agents.
Summary
Phase 6 (optional, compliance-grade). Normalize Coder audit events to OCSF and
land them in Amazon Security Lake, then enable Security Hub and Detective for
findings and investigation. Design:
docs/plans/observability-aws-native.md.Background and caveats
Security Lake and Detective APIs are available (verified read-only), but Security
Hub is not subscribed (
securityhub describe-hubreturnsInvalidAccessException: not subscribed) and Detective has no graph yet. These must be enabled first.This path is heavier than the Firehose to S3 to Athena archive and should be
adopted only if OCSF normalization and Security Hub/Detective are required.
Tasks
us-gov-west-1and choose the rollup andstorage configuration.
Account Change, and API Activity classes) via a Glue or Lambda transform from
the audit JSON.
a Security Lake subscriber).
Acceptance criteria
Notes
before committing; mark any gaps discovered during build.
Generated by Coder Agents.