Splunk® App for AWS

Installation and Configuration Manual

Acrobat logo Download manual as PDF


On July 15, 2022, the Splunk App for AWS will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Amazon Web Services Dashboards and Reports.
This documentation does not apply to the most recent version of AWS. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure your AWS services for the Splunk App for AWS

To collect data from Amazon Web Services, you must first enable or configure the AWS services that produce the data. Splunk recommends that you enable all services, otherwise some of the app dashboards may not be fully populated.

For each service, you must configure the appropriate IAM permissions for the accounts that the Splunk App for AWS uses to connect to your AWS environment, so that the app can access the data from the services you have configured. See "Configure your AWS permissions" for details.

Note: Performing all the steps below requires administrator access to your AWS account. If you do not have the required permissions to perform all the actions yourself, work with an AWS admin to complete all steps, including creating the account(s) with the IAM permissions that the Splunk App for AWS uses to connect.

Configure AWS Config

The Splunk App for AWS collects events from a Simple Queue Service (SQS) that subscribes to the Simple Notification Service (SNS) notification events from AWS Config. Configure AWS Config to produce these notifications, then create the SQS for the app to access them.

1. Enable Config by following the AWS Config setup guide: http://docs.aws.amazon.com/config/latest/developerguide/setting-up.html.

2. Follow the AWS Config Getting Started guide (http://docs.aws.amazon.com/config/latest/developerguide/getting-started.html) to specify an S3 bucket to save the data and an SNS topic to stream Config notifications to. Do not use an existing bucket or SNS. Following the AWS Config setup allows AWS to automatically create the IAM role for AWS config so that it has the necessary permissions for the bucket and SNS.

Note: Do not use periods in your S3 bucket name. Using periods in bucket names causes an AWS certificate validation issue. For more information, see http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html.

3. Finish the setup steps in the AWS Config Getting Started guide and verify that you have successfully completed the setup process. If you used the AWS console, you should see the Resource Lookup page. If you use the CLI, you can follow this verification guide: http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-verify-subscribe.html.

4. Create a new SQS.

5. Subscribe the SQS exclusively to the the SNS Topic that you created in Step 2.

6. Grant IAM permissions to access the S3 bucket and SQS to the AWS account that the app uses to connect to your AWS environment. See "Configure your AWS permissions" for details.

7. For best results, ensure that you have enabled CloudTrail in each region for which you have enabled Config. If you collect Config data with the app without enabling CloudTrail as well in the same region, some app dashboards may not be fully populated.

Configure CloudTrail

The Splunk App for AWS collects events from a Simple Queue Service (SQS) that subscribes to the Simple Notification Service (SNS) notification events from CloudTrail. Configure CloudTrail to produce these notifications, then create the SQS for the app to access them.

1. Enable CloudTrail. Follow the instructions in the AWS documentation: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html.

2. Create an S3 Bucket in which to store the CloudTrail events. Follow the AWS documentation to ensure the permissions for this bucket are correct: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

Note: Do not use periods in your S3 bucket name. Using periods in bucket names causes an AWS certificate validation issue. For more information, see http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html.

3. Enable SNS Notifications. See the AWS documentation for instructions: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html

4. Create a new SQS.

5. Subscribe the SQS to the SNS Notifications that you enabled in step 3.

6. Grant IAM permissions to access the S3 bucket and SQS to the AWS account that the app uses to connect to your AWS environment. See "Configure your AWS permissions" for details.

Configure CloudWatch

CloudWatch is automatically enabled to collect free metrics for your AWS services and requires no additional configuration for the Splunk App for AWS. However, you do need to grant permissions to the AWS account(s) that the app uses to connect to the CloudWatch API. See Configure your AWS permissions for details.

Configure VPC Flow Logs

VPC Flow Logs require no additional configuration for the Splunk App for AWS, other than enabling them for your VPCs. However, you do need to grant permissions to the AWS account(s) that the app uses to connect to the VPC Flow Log groups and streams. See Configure your AWS permissions for details.

See the AWS documentation for how to enable Flow Logs for your VPCs and configure an IAM role for them: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html.

Configure S3 bucket

S3 requires no additional configuration for the Splunk App for AWS. However, you do need to grant permissions to the AWS account that the app uses to connect to your S3 buckets. See Configure your AWS permissions for details.

Note: If you have periods in your S3 bucket name, you need to use a region-specific S3 Host Name when you configure an S3 input to collect data. Using periods in bucket names causes an AWS certificate validation issue for virtual hosted-style buckets, so specifying a region-specific endpoint is required. You can specify a region-specific S3 Host Name only through the Splunk Add-on for AWS. See Add an S3 input for the Splunk Add-on for AWS for instructions to configure S3 inputs through the add-on. For more information about this limitation, see http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html.

Refer to the AWS S3 documentation for more information about how to configure S3 buckets and objects. http://docs.aws.amazon.com/gettingstarted/latest/swh/getting-started-create-bucket.html

Configure billing reports

The Splunk App for AWS can collect monthly cost allocation reports from an S3 bucket that you specify. Be sure to verify your S3 bucket in the billing and cost management console and select the monthly cost allocation report as the report type that you want to collect.

Note: Do not use periods in your S3 bucket name. Using periods in bucket names causes an AWS certificate validation issue. For more information, see http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html.

There is no additional configuration required for the Splunk App for AWS. However, you do need to grant permissions to access the S3 bucket to the AWS account that the app uses to connect to your AWS environment. See Configure your AWS permissions for details.

For more details on managing your AWS billing reports, see the AWS documentation: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/detailed-billing-reports.html

Last modified on 06 September, 2019
PREVIOUS
Sizing, performance, and cost considerations for the Splunk App for AWS
  NEXT
Configure your AWS permissions for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS: 4.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters