Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Set up access control in the Splunk App for AWS

The Splunk App for AWS not only provides access to a wide range of data about the AWS environment but also lets the AWS App administrator easily configure AWS accounts and data inputs in a centralized location. It is important to set up access control in the app so that only authorized users with appropriate permissions can access sensitive data and information such as AWS accounts, data sources, security and billing anomaly detection rules.

Use the following predefined roles in Splunk Enterprise to set up user access to different types of data in the Splunk App for AWS. For more information about role-based user access, see About configuring role-based user access in the Securing Splunk Enterprise manual.

  • admin: The Splunk administrator role can access all the data and perform all permissible actions in the Splunk App for AWS.
  • aws_admin: This role is intended for administrators who will only view (but not configure) resources in the Splunk App for AWS. The role inherits from the power role, and has the following specific fine-grained capabilities: aws_admin_capability, edit_input_defaults, list_storage_passwords (only available in Splunk 6.5.0 and later). Use this role when you want to grant non-admin users permissions to view AWS accounts and inputs in the Splunk App for AWS, but not add or modify them.
    Note: This role is not available in Splunk Cloud or Splunk Light. In Splunk Cloud, the admin or sc_admin role access the Configure menu in the Splunk App for AWS.
  • user: This role can view all dashboards in the Splunk App for AWS, but cannot configure AWS resources, edit anomaly detection rules, or receive recommendations in Topology.

The following table lists the permissions for each role in the Splunk App for AWS.

Data in Splunk App for AWS user aws_admin (6.5.0+) aws_admin (pre-6.5.0.) admin
Configure > AWS accounts X read X read, write
Configure > Data Sources (inputs) X read X read, write
Configure > Other settings > Warning message settings read, write read, write read, write read, write
Insights > Security Anomaly Insights > Anomaly Detection Rules read read, write read, write read, write
Insights > Billing Anomaly Insights > Anomaly Detection Rules read read, write read, write read, write
Topology > Insights X read read read
All the dashboards read read read, write read, write

For finer-grained control of access to AWS data, you can define restrict search terms for a specific role. For example, to restrict user access to data under a specific AWS account, edit the user role and specify the following in the Restrict search terms field:

((NOT aws_account_id=*) OR aws_account_id="my_aws_account") AND ((NOT account_id=*) OR account_id="my_aws_account")

The search terms restrict the scope of searches run by this role and search results for this role will only show events that also match this search string.

Last modified on 10 February, 2017
Install the Splunk App for AWS on Splunk Light   Add AWS accounts for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.0.0, 5.0.1, 5.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters