Related Answers
Download topic as PDF
Configure Config Rules inputs for the Splunk Add-on for AWS
Complete the steps to configure Config Rules inputs for the Splunk Add-on for Amazon Web Services (AWS):
- You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
- Configure AWS services for the Config Rules input.
- Configure AWS permissions for the Config Rules input. You can skip this step and configure AWS permissions at once, if you prefer. See Configure AWS permissions for all Splunk Add-on for AWS inputs at once.
- Configure Config Rules inputs either through Splunk Web or configuration files.
Configure AWS services for the Config Rules input
- Enable AWS Config for all regions for which you want to collect data in the add-on. Follow the steps in the AWS documentation. See http://docs.aws.amazon.com/config/latest/developerguide/setting-up.html.
- Set up AWS Config Rules by following the instructions in the AWS Config documentation. See http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_set-up.html.
- Grant the necessary permissions to the AWS account used for this input. See Configure AWS permissions for details.
Configure AWS permissions for the Config Rules input
You need these required permissions for Config:
DescribeConfigRulesDescribeConfigRuleEvaluationStatusGetComplianceDetailsByConfigRuleGetComplianceSummaryByConfigRule
See the following sample inline policy to configure Config Rules input permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:DescribeConfigRules",
"config:DescribeConfigRuleEvaluationStatus",
"config:GetComplianceDetailsByConfigRule",
"config:GetComplianceSummaryByConfigRule"
],
"Resource": "*"
}
]
}
For more information and sample policies, see http://docs.aws.amazon.com/config/latest/developerguide/example-policies.html
Configure a Config Rules input using Splunk Web
To configure inputs using Splunk Web:
- Click Splunk Add-on for AWS in the left navigation bar on Splunk Web home.
- Click Create New Input > Config Rules.
- Fill out the fields as described in the table:
| Argument in configuration file | Field in Splunk Web | Description |
|---|---|---|
aws_account
|
AWS Account | The AWS account or EC2 IAM role the Splunk platform uses to access your Config Rules data. In Splunk Web, select an account from the drop-down list. |
region
|
Region | The AWS region that contains the Config Rules. See the AWS documentation for more information. |
rule_names
|
Config Rules | Config Rules names in a comma-separated list. Leave blank to collect all rules. |
sourcetype
|
Source Type | A source type for the events. Enter a value only if you want to override the default of aws:config:rule. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
|
index
|
Index | The index name where the Splunk platform puts the Config Rules data. The default is main. |
polling_interval
|
Polling Interval | The data collection interval, in seconds. The default is 300 seconds. |
Configure a Config Rules input using configuration files
To configure the input using configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_config_rule_tasks.conf using the following template:
[<name>] account = <value> region = <value> rule_names = <value> sourcetype = <value> polling_interval = <value> index = <value>
Here is an example stanza that collects Config Rules data for just two rules:
[splunkapp2:us-east-1] account = splunkapp2 region = us-east-1 rule_names=required-tags,restricted-common-ports sourcetype = aws:config:rule polling_interval = 300 index = aws
Last modified on 27 February, 2023
|
PREVIOUS Configure Config inputs for the Splunk Add-on for AWS |
NEXT Configure CloudTrail inputs for the Splunk Add-on for AWS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!