Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Configure your AWS permissions for the Splunk App for AWS

In order for the Splunk App for AWS to access the data in your Amazon Web Services account, you must assign one or more AWS accounts to an IAM role with the permissions required by those services. This step requires administrator rights in the AWS Management Console. If you do not have administrator access, work with your AWS admin to set up the account(s) with the permissions required.

Note: The Splunk App for AWS does not support the AssumeRole API action. Configure IAM accounts and permissions from the account that owns the resources that you want the add-on to access.

There are many ways to manage IAM policies.

  • You can use the AWS Policy Generator tool to collect all permissions into one centrally managed policy that you can apply to the IAM group used by the account(s) that the Splunk App for AWS uses to connect to your AWS environment.
  • You can create multiple different users, groups, and roles with the specific permissions required just for the services from which you plan to collect data.
  • You can copy and paste the sample policies provided on this page and apply them to an IAM Group as custom inline policies. To further specify the resources to which the policy should grant access, replace the wildcards with the exact ARNs of the resources in your environment.

For more information about working with inline policies, access the AWS documentation: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_inline-using.html

Configure one policy containing permissions for all seven inputs

The following sample policy provides the necessary permissions for all seven inputs included in the Splunk App for AWS. See the remaining sections for separate policies that break out the permissions for each service.

Sample inline policy: 

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:GetQueueUrl",
                "sqs:SendMessage",
                "sqs:DeleteMessage",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "config:DeliverConfigSnapshot",
                "iam:GetUser",
                "autoscaling:Describe*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "sns:Get*",
                "sns:List*",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "ec2:DescribeInstances",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeRegions",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "rds:DescribeDBInstances",
                "cloudfront:ListDistributions",
                "elasticloadbalancing:DescribeLoadBalancers"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Configure AWS Config permissions

Required permission for the S3 bucket that collects your Config logs: GetObject, GetBucketLocation, ListBucket, ListAllMyBuckets

Required permission for the SQS subscribed to the SNS Topic that collects Config notifications: GetQueueAttributes, ListQueues, ReceiveMessage, GetQueueUrl, SendMessage, DeleteMessage

Required permission for the Config snapshots: DeliverConfigSnapshot

Required permission for the IAM user to get the Config snapshots: GetUser

Sample inline policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow", 
            "Action": [
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "sqs:SendMessage",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "config:DeliverConfigSnapshot" 
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

For more information and sample policies, see:

Configure CloudTrail permissions

Required permission for the S3 bucket that collects your CloudTrail logs: Get*, List*, Delete*

Required permission for the SQS subscribed to the S3 bucket that collects CloudTrail logs: GetQueueAttributes, ListQueues, ReceiveMessage, GetQueueUrl, DeleteMessage

In the Resource section of the policy, specify the ARNs of the S3 buckets and SQS queues from which you want to collect data.

Sample inline policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage",
                "s3:Get*",
                "s3:List*",
                "s3:Delete*"
            ],
            "Resource": [
               "*"
            ]
        }
    ]
}

For more information and sample policies, see:

Configure CloudWatch permissions

Required permissions for CloudWatch: Describe*, Get*, List*

Required permissions for autoscaling: Describe*

Required permissions for SNS queue: Get*, List*

Required permission to pass the app's account validation: ec2:DescribeRegions

Sample inline policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:Describe*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "sns:Get*",
                "sns:List*",
                "ec2:DescribeRegions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

For more information and sample policies, see: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html

Configure VPC Flow Log permissions

Required permissions for logs: DescribeLogGroups, DescribeLogStreams, GetLogEvents

Required permission to pass the app's account validation: s3:ListAllMyBuckets

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

You must also ensure that your role has a trust relationship that allows the flow logs service to assume the role. While viewing the IAM role, choose Edit Trust Relationship and replace the policy with this one:

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Configure Metadata permissions

Required permissions for EC2 resources: DescribeInstances, DescribeReservedInstances, DescribeSnapshots, DescribeRegions, DescribeKeyPairs, DescribeNetworkAcls, DescribeSecurityGroups, DescribeSubnets, DescribeVolumes, DescribeVpcs

Required permissions for RDS: DescribeDBInstances

Required permissions for CloudFront, if you are in a region that supports CloudFront: ListDistributions

Required permissions for ELB: DescribeLoadBalancers

Sample inline policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeRegions",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "rds:DescribeDBInstances",
                "cloudfront:ListDistributions",
                "elasticloadbalancing:DescribeLoadBalancers"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Configure S3 permissions

Required permissions for S3 buckets and objects: ListBucket, GetObject, ListAllMyBuckets

In the Resource section of the policy, specify the ARNs of the S3 buckets from which you want to collect S3 access logs, CloudFront access logs, ELB access logs, or generic S3 log data.

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    }
  ]
}

For more information and sample policies, see http://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html.

Configure Billing permissions

Required permissions for for the S3 bucket that collects your billing reports: Get*, List*

In the Resource section of the policy, specify the ARNs of the S3 buckets that contain billing reports for your accounts.

Sample inline policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

For more information and sample policies, see http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html.

Last modified on 25 February, 2016
Configure your AWS services for the Splunk App for AWS   Installing the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.1.0, 4.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters