Add an AWS Config input for the Splunk App for AWS

Create an AWS Config input to take a snapshot of your AWS Account and gather helpful description metadata about your AWS environment.

The Splunk App for AWS requires you to configure an AWS Config input before you can configure any other inputs. The configuration snapshot and metadata descriptions from the AWS Config service are key to populating many of the dashboards in the app, so the other inputs depend on this one.

You can only configure one AWS Config input per AWS Account Access Key ID, which you select by its corresponding friendly name. You can configure multiple AWS Config inputs for the same AWS environment, provided each one is created with a different friendly name.

Note: When you configure an AWS Config input, the app also pulls description metadata for your resources to improve your dashboard usability. If you view your inputs in the Splunk Add-on for AWS, the description portion of this input appears there as its own, separate input. You can edit the description input there to adjust its settings, but Splunk does not recommend changing the defaults.

Prerequisites

Before you can successfully configure an AWS Config input, you need to:

1. Set up the AWS Config service for all the regions that you want to track data in the Splunk App for AWS. If you have not already done this, see "Configure your AWS services for the Splunk App for AWS" in this manual.

2. Make sure that the account friendly name you use to configure this input corresponds to an AWS Account Access Key ID that has the necessary permissions to gather this data. If you have not already done this, see "Configure your AWS permissions for the Splunk App for AWS" in this manual.

Add a new Config input

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the AWS Config box, click Set up.

3. Select the friendly name of the AWS Account that you want to use to collect AWS Config data. If you have not yet configured the account you need, click Add New Account to configure one now.

4. Under SQS Configurations, select a Region for which you have enabled AWS Config.

5. Click Select an SQS queue to view the SQS queue names for the region you have selected. If you do not see any, verify that you have completed all steps in the prerequisites. Do not configure multiple Config inputs pulling data from the same SQS queue. Having multiple inputs can cause conflicts when one input tries to delete an SQS message that another input is attempting to access and parse.

6. Select the queue name that is subscribed to the SNS topic for Config notifications for this region.

7. Click the + button to add another region.

8. Repeat steps 4 - 6 until you have configured SQS queues for all the regions where you have Config enabled in AWS.

9. Click Add to save and enable this data input.

Once saved, the input begins collecting data immediately and checks for updates every 30 seconds.

When you first create the data input, the Splunk App for AWS triggers your AWS Config service to take a snapshot of your AWS environment. If the app is unable to collect a snapshot, one of the following may be true:

• You may have encountered a rate limit on snapshot requests set by AWS. If you see a message that says "You have exceeded the maximum request rate set by AWS. Please try again later." wait a few minutes, then click Retry. If you navigate away from this screen, you can return to the Config Inputs screen at any time and click Take Snapshot to try again.
• You may not have sufficient permissions to take snapshots with the account you chose. See "Configure your AWS permissions for the Splunk App for AWS" in this manual. You can adjust the permissions as needed and then return to the Config Inputs screen at any time and click Take Snapshot to try again.

When you save a Config input, the app enables and runs the scheduled saved search called Config: Topology Data Generator, which you can find in the app under Search > Reports. This search runs every twenty minutes and helps populate your Topology dashboard.

Edit or delete a Config input

You can view, edit, or delete your existing AWS Config inputs from the Config Inputs screen.

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the AWS Config box, click the link that tells you how many inputs you currently have configured for AWS Config.

3. The Config Inputs screen displays a list of AWS Config inputs, organized by the account friendly name used to create the input.

4. From here, you can click the account names to open the individual inputs to edit them, click Take Snapshot to trigger the app to take a snapshot from AWS Config, or delete an input.