Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Configure your AWS permissions for the Splunk App for AWS

In order for the Splunk App for AWS to access the data in your Amazon Web Services account, you must assign one or more AWS accounts to an IAM role with the permissions required by those services. This step requires administrator rights in the AWS Management Console. If you do not have administrator access, work with your AWS admin to set up the account(s) with the permissions required.

There are many ways to manage IAM policies.

  • You can use the AWS Policy Generator tool to collect all permissions into one centrally managed policy that you can apply to the IAM group used by the account(s) that the Splunk App for AWS uses to connect to your AWS environment.
  • You can create multiple different users, groups, and roles with the specific permissions required just for the services from which you plan to collect data.
  • You can copy and paste the sample policies provided on this page and apply them to an IAM Group as custom inline policies. To further specify the resources to which the policy should grant access, replace the wildcards with the exact ARNs of the resources in your environment.

For more information about working with inline policies, access the AWS documentation: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_inline-using.html

Configure one policy containing permissions for all six services

The following sample policy provides the necessary permissions for all six inputs included in the Splunk App for AWS. See the remaining sections for separate policies that break out the permissions for each service.

Sample inline policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:GetQueueUrl",
                "sqs:SendMessage",
                "sqs:DeleteMessage",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "config:DeliverConfigSnapshot",
                "iam:GetUser",
                "autoscaling:Describe*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "sns:Get*",
                "sns:List*",
                "ec2:DescribeInstances",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeRegions",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Configure AWS Config permissions

Required permission for the S3 bucket that collects your Config logs: GetObject, GetBucketLocation, ListBucket, ListAllMyBuckets

Required permission for the SQS subscribed to the SNS Topic that collects Config notifications: GetQueueAttributes, ListQueues, ReceiveMessage, GetQueueUrl, SendMessage, DeleteMessage

Required permission for the Config snapshots: DeliverConfigSnapshot

Required permission for the IAM user to get the Config snapshots: GetUser

Required EC2 permissions to collect metadata: DescribeInstances, DescribeReservedInstances, DescribeSnapshots, DescribeRegions

Sample inline policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow", 
            "Action": [
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "sqs:SendMessage",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "config:DeliverConfigSnapshot" 
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": [
                "*"
            ]
        },
       {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeRegions"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

For more information and sample policies, see:

Configure CloudTrail permissions

Required permission for the S3 bucket that collects your CloudTrail logs: Get, List, Delete

Required permission for the SQS subscribed to the S3 bucket that collects CloudTrail logs: GetQueueAttributes, ListQueues, ReceiveMessage, GetQueueUrl, DeleteMessage

Sample inline policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage",
                "s3:Get*",
                "s3:List*",
                "s3:Delete*"
            ],
            "Resource": [
               "arn:aws:sqs:*",
               "arn:aws:s3:::*"
            ]
        }
    ]
}

For more information and sample policies, see:

Configure CloudWatch permissions

Required permissions for CloudWatch: Describe, Get, List

Required permissions for autoscaling: Describe

Required permissions for SNS queue: Get, List

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "sns:Get*",
        "sns:List*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

For more information and sample policies, see: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html

Configure VPC Flow Log permissions

Required permissions for logs: DescribeLogGroups, DescribeLogStreams, GetLogEvents

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

You must also ensure that your role has a trust relationship that allows the flow logs service to assume the role. While viewing the IAM role, choose Edit Trust Relationship and replace the policy with this one:

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Configure S3 permissions

Required permissions for S3 buckets and objects: List, Get

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

For more information and sample policies, see http://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html.

Configure Billing permissions

Required permissions for for the S3 bucket that collects your billing reports: Get, List

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

For more information and sample policies, see http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html.

Last modified on 21 January, 2016
Configure your AWS services for the Splunk App for AWS   Installing the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters