Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage accounts for the Splunk Add-on for AWS

The Splunk Add-on for Amazon Web Services (AWS) can only access the data in your AWS account if your account has an IAM AWS Identity Account Management (IAM) role. Read the following sections to do the following:

  1. Create an IAM role and assign it to your AWS account.
  2. Find an IAM role within your Splunk platform instance.

Before you can configure Splunk Cloud or Splunk Enterprise to work with your AWS data, you must set up accounts in Amazon Web Services.

Create an IAM role and assign it to your AWS account

To configure AWS accounts and permissions, you must have administrator rights in the AWS Management Console. If you do not have administrator access, work with your AWS admin to set up the accounts with the required permissions.

  • To let the Splunk Add-on for Amazon Web Services access the data in your AWS account, you assign an IAM role to one or more AWS accounts. You then grant those roles the permissions that are required by the AWS account.
  • If you run this add-on on a Splunk platform instance in your own managed Amazon Elastic Compute Cloud (EC2), then assign that EC2 to a role and give that role the IAM permissions listed here.

Manage IAM policies

There are three ways to manage policies for your IAM roles:

  • Use the AWS Policy Generator tool to collect all permissions into one centrally managed policy. You can apply the policy to the IAM group that is used by the user accounts or the EC2s that the Splunk Add-on for AWS uses to connect to your AWS environment.
  • Create multiple different users, groups, and roles with permissions specific to the services from which you plan to collect data.
  • Copy and paste the sample policies provided on this page and apply them to an IAM Group as custom inline policies. To further specify the resources to which the policy grants access, replace the wildcards with the exact Amazon Resource Names (ARNs) of the resources in your environment.

For more information about working with inline policies, see Managing IAM Policies in the AWS documentation.

Create and configure roles to delegate permissions to IAM users

The Splunk Add-on for AWS supports the AWS Security Token Service (AWS STS) AssumeRole API action that lets you use IAM roles to delegate permissions to IAM users to access AWS resources.

The AssumeRole API returns a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token that an AWS account can use to access AWS resources that it might not normally have access to.

To assume a role, your AWS account must be trusted by that role. The trust relationship is defined in the role's trust policy when that role is created. That trust policy states which user accounts are allowed to delegate access to this account's role.

The user who wants to access the role must also have permissions delegated from the role's administrator. If the user is in a different account than the role, then the user's administrator must attach a policy that allows the user to call AssumeRole on the ARN of the role in the other account. If the user is in the same account as the role, then you can either attach a policy to the user identical to the previous different account user, or you can add the user as a principal directly in the role's trust policy.

To create an IAM role, see Creating a Role to Delegate Permissions to an IAM User in the AWS documentation.

After creating the role, use the AWS Management Console to modify the trust relationship to allow the IAM user to assume the newly created role. The following example shows a trust relationship that allows a role to be assumed by an IAM user named johndoe:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/johndoe"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Next, grant your IAM user permission to assume the role. The following example shows an AWS IAM policy that allows an IAM user to assume the s3admin role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::123456789012:role/s3admin"
    }
  ]
}

Find an IAM role within your Splunk platform instance

Collecting data using an auto-discovered EC2 IAM role is not supported in the AWS China region.

  1. Follow IAM roles for Amazon EC2 in the AWS documentation to set up an IAM role for your EC2.
  2. Ensure that this role has adequate permissions. If you do not give this role all of the permissions required for all inputs, configure AWS accounts specific to inputs not covered by the permissions for this role.
  3. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
  4. Click Configuration in the app navigation bar. By default, the add-on displays the Account tab.
  5. Look for the EC2 IAM role in the Autodiscovered IAM Role column. If you are in your own managed AWS environment and have an EC2 IAM role configured, it appears in this account list automatically.

You can also configure AWS accounts if you want to use both EC2 IAM roles and user accounts to ingest your AWS data.

You cannot edit or delete EC2 IAM roles from the add-on.

Add and manage AWS accounts

Perform the following steps to add an AWS account:

  1. In the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
  2. Click Configuration in the app navigation bar. The add-on displays the Account tab.
  3. Click Add.
  4. Name the AWS account. You cannot change this name once you configure the account.
  5. Enter the Key ID and Secret Key credentials for the AWS account that the Splunk platform uses to access your AWS data. The accounts that you configure must have the necessary permissions to access the AWS data that you want to collect.
  6. Select the Region Category for the account. The most common category is Global.
  7. Click Add.

Edit existing accounts by clicking Edit in the Actions column.

Delete an existing account by clicking Delete in the Actions column. You cannot delete accounts that are associated with any inputs, even if those inputs are disabled. To delete an account, delete the inputs or edit them to use a different account and then delete the account.

To use custom commands and alert actions, you must set up at least one AWS account on your Splunk platform deployment search head or search head cluster.

Add and manage private AWS accounts

Private account configurations are for users who want to use regional/private endpoints for account validation.

Perform the following steps to add a private AWS account:

  1. In the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
  2. Click Configuration in the app navigation bar. The add-on displays the Account tab.
  3. Click the Private Account tab.
  4. Click Add.
  5. Name the AWS private account. You cannot change this name once you configure the account.
  6. Enter the Key ID and Secret Key credentials for the AWS account that the Splunk platform uses to access your AWS data. The accounts that you configure must have the necessary permissions to access the AWS data that you want to collect.
  7. Select the Region Category for the private account. The most common category is Global.
  8. Select the Region which will be used for regional endpoints to authenticate account credentials.
  9. (Optional) To use private endpoints for account validation, click the Use Private Endpoints checkbox and enter the private endpoint URL of your AWS Security Token Service (STS). This step is only required if you have specific requirements for your private endpoints.
  10. Click Add.

Edit existing private accounts by clicking Edit in the Actions column of the Private Account tab.

Delete an existing private account by clicking Delete in the Actions column. You cannot delete private accounts that are associated with any inputs, even if those inputs are disabled. To delete a private account, delete the inputs or edit them to use a different account or private account and then delete the private account.


Add and manage IAM roles

Use the Configuration menu in the Splunk Add-on for AWS to manage AWS IAM roles that can be assumed by IAM users. Adding IAM roles lets the Splunk Add-on for AWS access the following AWS resources:

  • Generic S3
  • Incremental S3
  • SQS-based S3
  • Billing
  • Metadata
  • CloudWatch
  • Kinesis

Add an IAM role

Use the following steps to add an IAM role:

  1. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
  2. Click Configuration in the app navigation bar, and then click the IAM Role tab.
  3. Click Add.
  4. In the Name field, name the role to be assumed by authorized AWS accounts managed on the Splunk platform. You cannot change the name once you configure the role.
  5. In the ARN field, enter the role's Amazon Resource Name in the valid format: arn:aws:iam::<aws_resource_id>:role/<role_name>.
  6. Click Add.

Click Edit in the Actions column to edit existing IAM roles.

Click Delete in the Actions column to delete an existing role. You cannot delete roles associated with any inputs, even if those inputs are disabled. To delete an account, delete the inputs or edit them to use a different assumed role and then delete the role.

Configure a proxy connection

  1. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
  2. Click Configuration in the app navigation bar.
  3. Click the Proxy tab.
  4. Select the Enable box to enable the proxy connection and fill in the fields required for your proxy.
  5. Click Save.

To disable your proxy but save your configuration, uncheck the Enable box. The add-on stores your proxy configuration so that you can enable it later.

To delete your proxy configuration, delete the values in the fields.

Last modified on 22 February, 2024
PREVIOUS
Upgrade the Splunk Add-on for AWS
  NEXT
Configure Billing inputs for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters