Data input rules

Each data input requires a combination of a unique data account ID and a source type. For example, if you're ingesting data from the same AWS account, you can create separate data inputs for different data sources from the AWS Security and AWS Metadata group like AWS CloudTrail, AWS Security Hub, and Amazon GuardDuty.

An exception applies to Amazon CloudWatch Logshelp. For any given data account ID, you can create only one data input for Amazon CloudWatch Logs. Therefore, if you want to add data from additional data sources, for example Lambda or Amazon RDS, you must edit your existing Amazon CloudWatch Logs data input instead of creating a new one. For details on how to edit data inputs, see Edit your AWS data inputs for Data Manager.

When you create data inputs for AWS Organizations, you have to take into consideration that you work with organizational units. For more information about creating data inputs for AWS Organizations, see Configure AWS for onboarding from organizational units.

Handling connections from optional AWS regions

Consider the following behavior when configuring your AWS security and access controls:

Starting with version 1.14.1 of Data Manager, AWS data inputs use regional endpoints instead of the global address. However, when you use certain optional AWS regions (for example af-south-1), you might not connect directly to those regions. In these situations, the system sends initial authorization requests through the default region us-east-1 before connecting to your target region.