Splunk® Supported Add-ons

Splunk Add-on for AWS

Download manual as PDF

Download topic as PDF

Manage accounts for the Splunk Add-on for AWS

Manage your accounts, proxy connections, and log levels for the Splunk Add-on for AWS on your data collection node.

The Splunk Add-on for AWS supports two ways to interact with AWS to collect data:

  • Using EC2 (Elastic Compute Cloud) IAM (Identity and Access Management) roles.
  • Using AWS user accounts.

Discover an EC2 IAM role

To run a data collection node on your Splunk platform in your own managed AWS environment using commercial regions, set up an IAM role for the EC2, then use that role to configure data collection jobs. The Splunk Add-on for AWS automatically discovers this role once it is set up.

Collecting data using an auto-discovered EC2 IAM role is not supported in AWS China or AWSGovCloud regions.

  1. Follow the AWS documentation to set up an IAM role for your EC2: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html.
  2. Ensure that this role has adequate permissions. If you do not give this role all of the permissions required for all inputs, configure AWS accounts specific to inputs not covered by the permissions for this role.
  3. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar..
  4. Click Configuration in the app navigation bar. By default, the add-on displays the Account tab.
  5. Look for the EC2 IAM role in the Autodiscovered IAM Role column. If you are in your own managed AWS environment and have an EC2 IAM role configured, it appears in this account list automatically.

You can also configure AWS accounts if you want to use both EC2 IAM roles and user accounts to ingest your AWS data.

You cannot edit or delete EC2 IAM roles from the add-on.

Add and manage AWS accounts

Perform the following steps to add an AWS account:

  1. In the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
  2. Click Configuration in the app navigation bar. The add-on displays the Account tab.
  3. Click Add.
  4. Name the AWS account. You cannot change this name once you have configured the account.
  5. Enter the credentials Key ID and Secret Key for the AWS account that the Splunk platform uses to access your AWS data. The accounts that you configure must have the necessary permissions to access the AWS data that you want to collect.
  6. Select the Region Category for the account. The most common category is "Global".
  7. Click Add.

Edit existing accounts by clicking Edit in the Actions column.

Delete an existing account by clicking Delete in the Actions column. You cannot delete accounts that are associated with any inputs, even if those inputs are disabled. To remove an account in this case, delete the inputs or edit them to use a different account and then delete the account.

To use custom commands and alert actions, you must set up at least one AWS account on your Splunk platform deployment search head or search head cluster.

Add and manage IAM roles

Use the Configuration menu in the Splunk Add-on for AWS to manage AWS IAM roles that can be assumed by IAM accounts. This lets the Splunk Add-on for AWS access the following AWS resources:

  • Generic S3
  • Incremental S3
  • SQS-Based S3
  • Billing
  • Description
  • CloudWatch
  • Kinesis

Add an IAM role

Use the following steps to add an IAM Role:

  1. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
  2. Click Configuration in the app navigation bar, and then click the IAM Role tab.
  3. Click Add.
  4. In the Name field, name the role to be assumed by authorized AWS accounts managed on the Splunk platform. You cannot change the name once you have configured the role.
  5. In the ARN field, enter the role's Amazon Resource Name in the valid format: arn:aws:iam::<aws_resource_id>:role/<role_name>.
  6. Click Add.

Click Edit in the Actions column to edit existing IAM roles.

Click Delete in the Actions column to delete an existing role. You cannot delete roles associated with any inputs, even if those inputs are disabled. To remove an account in this case, delete the inputs or edit them to use a different assumed role and then delete the role.

Configure a proxy connection

  1. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
  2. Click Configuration in the app navigation bar.
  3. Click the Proxy tab.
  4. Select the Enable box to enable the proxy connection and fill in the fields required for your proxy.
  5. Click Save.

To disable your proxy but save your configuration, uncheck the Enable box. The add-on stores your proxy configuration so that you can enable it later.

To delete your proxy configuration, delete the values in the fields.

PREVIOUS
Install the Splunk Add-on for AWS
  NEXT
Configure inputs for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

Can you managed accounts AWS accounts via an API?
We would like to automate the process when we spin up a new AWS account rather than adding each one manually.
If so, could you please give an example.
Many thanks,
Tom

Tommsmoonpig123
June 7, 2019

Hello Bilby91,
Your situation does sound like your AWS add-on is behaving improperly, and a reinstallation is recommended. I will reach out to you directly in an effort to learn more.

Mglauser splunk, Splunker
March 18, 2019

I'm not sure if there is a problem with my installation but I can't find this options:

"Click Configuration in the app navigation bar. By default, the add-on displays the Account tab."

"Click Configuration in the app navigation bar, and then click the IAM Role tab."

We are running a single enterprise instance to test AWS + EKS integrations. We plan on moving to Splunk Cloud later on.

Bilby91
March 14, 2019

Hi Nagulapalli. Please contact Splunk customer support or post the details of your situation on answers.splunk.com so the community can assist.

Andrewb splunk, Splunker
March 20, 2018

Hi,
we have multiple AWS accounts, I have setup an IAM role in each account that covers policy "Configure one policy containing permissions for all inputs"
Eg:
arn:aws:iam::xxxxxxxx1:role/TestLogging
arn:aws:iam::xxxxxxxx2:role/TestLogging

I have an another IAM role (e.g.CTLRole) in our AWS Central Account and provisioned to use the following policy, so it can use assumed role to gain access to other AWS accounts so it eliminated the need for me to create IAM user in every AWS account for aws:description datatype. unfortunately its not working, Can anyone advice how splunk use "Assumed Role" and initiate the requests for other AWS account ?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:iam::xxxxxxxx1:role/TestLogging",
"arn:aws:iam::xxxxxxxx1:role/TestLogging ],
"Action": "sts:AssumeRole"
}
]
}

Nagulapalli
March 19, 2018

Yes, ingestion of cross-account logs is supported. You can configure your AWS services to write logs under account A to an S3 bucket owned by account B. Then you configure an SQS-based S3 input under account B to ingest the logs from both accounts from the S3 bucket.
Just make sure you configure appropriate S3 bucket permissions for different types of data:
* AWS Config data: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
* CloudTrail data: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html?icmpid=docs_cloudtrail_console
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html
* Billing data: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_from-consolidatedbilling.html
Note that AccessLogs does not support cross-account logging.

Hunters splunk, Splunker
October 9, 2017

Is it possible to use Cross-Account access instead having to use User Accounts for my separate AWS accounts?

Jwilson216
October 3, 2017

Hi Brad. There isn’t a known limit to the number of AWS accounts you can create in the AWS Add-on, but of course, creating more accounts leads to more API calls, which have a performance cost. Thanks!

Hunters splunk, Splunker
May 21, 2017

Is there a limit to the number of AWS accounts that can be registered (other than licensing quotas)?

Bradrer
May 17, 2017

Is there a way to perform these actions through an API or other method that we can automate? We would like to automate the on-boarding of AWS accounts into the app. Also, when using the EC2 instance profile, how does Splunk handles collecting data for multiple AWS accounts from the AWS account running the EC2 instance? The instance profile has been given rights to assume roles in all the other accounts.

Cabarria
September 27, 2016

Hi Jiambor, the instructions referencing a setup link were for the previous version, sorry. You should be able to perform the configuration on this page by opening the add-on's custom view. Just click on the add-on name. If you have already configured VPC flow log inputs, that means you have done this already, so that is not the problem. I'll send you an email so we can troubleshoot.

Rpille splunk, Splunker
October 23, 2015

I have no setup option either. I configured the flow logs and there is data going to the index (not main) and I can't find how to run setup so the app finds the data.

jiambor
22Oct2015

Jiambor
October 22, 2015

Thanks for your question, Asbetsplunk. You need to either be an admin or have the admin_all_objects capability in the role you are assigned. Hope that helps!

Rpille splunk, Splunker
September 2, 2015

"1. Go to Apps > Manage Apps, then click Set up under Actions in the row for Splunk Add-on for AWS."

There is NO "Set up" option under Actions. Tried rebooting the instance and nothing.

Asbetsplunk
September 2, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters