Related Answers
Download topic as PDF
Configure Config Rules inputs for the Splunk Add-on for AWS
Complete the steps to configure Config Rules inputs for the Splunk Add-on for Amazon Web Services (AWS):
- You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
- Configure AWS services for the Config Rules input.
- Configure AWS permissions for the Config Rules input.
- Configure Config Rules inputs either through Splunk Web or configuration files.
Configure AWS services for the Config Rules input
- Enable AWS Config for all regions for which you want to collect data in the add-on. Follow the steps in the AWS documentation. See http://docs.aws.amazon.com/config/latest/developerguide/setting-up.html.
- Set up AWS Config Rules by following the instructions in the AWS Config documentation. See http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_set-up.html.
- Grant the necessary permissions to the AWS account used for this input.
Configure AWS permissions for the Config Rules input
You need these required permissions for Config:
DescribeConfigRulesDescribeConfigRuleEvaluationStatusGetComplianceDetailsByConfigRuleGetComplianceSummaryByConfigRule
See the following sample inline policy to configure Config Rules input permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:DescribeConfigRules",
"config:DescribeConfigRuleEvaluationStatus",
"config:GetComplianceDetailsByConfigRule",
"config:GetComplianceSummaryByConfigRule"
],
"Resource": "*"
}
]
}
For more information and sample policies, see http://docs.aws.amazon.com/config/latest/developerguide/example-policies.html
Configure a Config Rules input using Splunk Web
To configure inputs using Splunk Web:
- Click Splunk Add-on for AWS in the left navigation bar on Splunk Web home.
- Click Create New Input > Config Rules.
- Fill out the fields as described in the table:
| Argument in configuration file | Field in Splunk Web | Description |
|---|---|---|
aws_account
|
AWS Account | The AWS account or EC2 IAM role the Splunk platform uses to access your Config Rules data. In Splunk Web, select an account from the drop-down list. |
region
|
Region | The AWS region that contains the Config Rules. See the AWS documentation for more information. |
rule_names
|
Config Rules | Config Rules names in a comma-separated list. Leave blank to collect all rules. |
sourcetype
|
Source Type | A source type for the events. Enter a value only if you want to override the default of aws:config:rule. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
|
index
|
Index | The index name where the Splunk platform puts the Config Rules data. The default is main. |
polling_interval
|
Polling Interval | The data collection interval, in seconds. The default is 300 seconds. |
Configure a Config Rules input using configuration files
To configure the input using configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_config_rule_tasks.conf using the following template:
[<name>] account = <value> region = <value> rule_names = <value> sourcetype = <value> polling_interval = <value> index = <value>
Here is an example stanza that collects Config Rules data for just two rules:
[splunkapp2:us-east-1] account = splunkapp2 region = us-east-1 rule_names=required-tags,restricted-common-ports sourcetype = aws:config:rule polling_interval = 300 index = aws
Last modified on 28 September, 2023
|
PREVIOUS Configure Config inputs for the Splunk Add-on for AWS |
NEXT Configure CloudTrail inputs for the Splunk Add-on for AWS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!