Set up access control in the Splunk App for AWS
The Splunk App for AWS not only provides access to a wide range of data about the AWS environment but also lets the AWS App administrator easily configure AWS accounts and data inputs in a centralized location. It is important to set up access control in the app so that only authorized users with appropriate permissions can access sensitive data and information such as AWS accounts, data sources, security and billing anomaly detection rules.
Use the following predefined roles in Splunk Enterprise to set up user access to different types of data in the Splunk App for AWS. For more information about role-based user access, see About configuring role-based user access in the Securing Splunk Enterprise manual.
- admin: The Splunk administrator role can access all the data and perform all permissible actions in the Splunk App for AWS.
- aws_admin: This role is intended for administrators who will only view (but not configure) resources in the Splunk App for AWS. The role inherits from the power role, and has the following specific fine-grained capabilities: aws_admin_capability, edit_input_defaults, list_storage_passwords (only available in Splunk 6.5.0 and later). Use this role when you want to grant non-admin users permissions to view AWS accounts and inputs in the Splunk App for AWS, but not add or modify them.
Note: This role is not available in Splunk Cloud or Splunk Light. In Splunk Cloud, the admin or sc_admin role access the Configure menu in the Splunk App for AWS. - user: This role can view all dashboards in the Splunk App for AWS, but cannot configure AWS resources, edit anomaly detection rules, or receive recommendations in Topology.
The following table lists the permissions for each role in the Splunk App for AWS.
| Data in Splunk App for AWS | user | aws_admin (6.5.0+) | aws_admin (pre-6.5.0.) | admin |
|---|---|---|---|---|
| Configure > AWS accounts | X | read | X | read, write |
| Configure > Data Sources (inputs) | X | read | X | read, write |
| Configure > Other settings > Warning message settings | read, write | read, write | read, write | read, write |
| Insights > Security Anomaly Insights > Anomaly Detection Rules | read | read, write | read, write | read, write |
| Insights > Billing Anomaly Insights > Anomaly Detection Rules | read | read, write | read, write | read, write |
| Topology > Insights | X | read | read | read |
| All the dashboards | read | read | read, write | read, write |
For finer-grained control of access to AWS data, you can define restrict search terms for a specific role. For example, to restrict user access to data under a specific AWS account, edit the user role and specify the following in the Restrict search terms field:
((NOT aws_account_id=*) OR aws_account_id="my_aws_account") AND ((NOT account_id=*) OR account_id="my_aws_account")
The search terms restrict the scope of searches run by this role and search results for this role will only show events that also match this search string.
| Install the Splunk App for AWS on Splunk Light | Add AWS accounts for the Splunk App for AWS |
This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.0.0, 5.0.1, 5.0.2
Download manual
Feedback submitted, thanks!