Configure AWS for onboarding from multiple accounts
You can use multiple account onboarding to ingest data from multiple AWS accounts.
Choose one AWS account as a control account. The control account is an AWS account ID that you designate as the management account. It allows you to create, update, and delete stack sets across multiple accounts and regions. It is a separate account from the data accounts that you plan to monitor.
Choose multiple AWS accounts as your data accounts. The data accounts are AWS account IDs that you designate as the target accounts from which to ingest data. Data accounts are managed by the control account. The same data account cannot be used in multiple data inputs, managed by different control accounts, in Data Manager.
Choose a control account
The AWS admin must choose a control account for this data input. The control account is an AWS account where you will drive StackSet operations. It allows you to create, update, and delete StackSets to manage resources across multiple data accounts and regions. The same control account can be used in multiple data inputs, managed by different control accounts, in Data Manager.
(Optional) Create an onboarding user
If you are the AWS admin and will be completing the AWS data onboarding, then you can use your admin privileges to complete the data onboarding steps. If you want a different user to continue with the onboarding, then create a user in the AWS account with the following permissions. The user can be created as an IAM user, IAM role, SAML user, or any of your company's AWS user creation policies. Make sure that this user has both AWS CLI and console access.
Configure through the console
As one example, consider the scenario of creating an IAM user to complete the data onboarding. To create an IAM user, complete the following steps in the AWS console.
- Log into your AWS account.
- Navigate to IAM > Users.
- Click Add user.
- In the User name field, type any name of your choice, such as OnboardingUser.
- For the Access type check box, select AWS Management Console access.
- For the Console password radio button, select the option of your choice.
- For the Required password reset check box, select User must create a new password at next sign-in.
- Click Next: Permissions.
- For Set permissions complete the following steps:
- Click Attach existing policies directly.
- Click Create policy.
- In the new browser window that opens, click the JSON tab.
- Overwrite the JSON text by copying and pasting the Permissions from the Data Manager UI.
- Replace the
<CONTROL_ACCOUNT_ID>
variables with your account ID. - Click Next: Tags > Next: Review.
- In the Name field, type any name of your choice, such as OnboardingUserPolicy.
- Click Create policy.
- Go back to the previous tab, so that you see the set permissions section.
- Click the refresh icon.
- In the Filter policies field, search for your policy name.
- Select the check box for your policy.
- Click Next: Tags > Next: Review.
- Click Create user.
Create the AWSCloudFormationStackSetAdministrationRole in the control account
If this role already exists in the control account, the AWS admin can skip this step. This role allows you to manage StackSet operations from the control account.
Configure through the console
Complete the following steps in the AWS console.
- Log into your control account.
- Navigate to IAM > Roles.
- Click Create role.
- From Choose a use case, click CloudFormation as the service.
- Click Next: Permissions > Next: Tags > Next: Review.
- In the Role Name field, type exactly the name of AWSCloudFormationStackSetAdministrationRole and click Create role.
- Click AWSCloudFormationStackSetAdministrationRole.
- Under the Permissions tab, click Add inline policy.
- Click the JSON tab.
- Copy and paste the Role Policy from the Data Manager UI, making sure to overwrite the text in the json text box.
- Click Review Policy.
- In the Name field, type any name of your choice, such as AWSCloudFormationStackSetAdministrationRolePolicy.
- Click Create policy.
Configure through the CLI
Prepare the terminal to use the AWS credentials that allow you to run the following CLI command against your control account. See AWS CLI Prerequisites.
- Create the AWSCloudFormationStackSetAdministrationRole:
aws iam create-role --role-name AWSCloudFormationStackSetAdministrationRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"cloudformation.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
- Create the inline policy for AWSCloudFormationStackSetAdministrationRolePolicy and attach it to the role:
aws iam put-role-policy --policy-name AWSCloudFormationStackSetAdministrationRolePolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Action":["sts:AssumeRole"],"Resource":["arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole"],"Effect":"Allow"}]}' --role-name AWSCloudFormationStackSetAdministrationRole
Sample role policy and trust relationship
See the following sample role policy and trust relationship for the AWSCloudFormationStackSetAdministrationRole role in the Control Account
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole" ], "Effect": "Allow" } ] }
Trust Relationship
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" }, "Action": [ "sts:AssumeRole" ] } ] }
Create the AWSCloudFormationStackSetExecutionRole in the data accounts
If this role already exists in each data account that you'll be using for this configuration, the AWS admin can skip this step. If the role doesn't exist, then the AWS admin creates the AWSCloudFormationStackSetExecutionRole in each data account. This role allows the control account to create stack instances in your data accounts. The stack instances create resources that include IAM roles, CloudWatch log subscription filters, CloudWatch event bridge rules, and Kinesis Data Firehose delivery streams.
Configure through the console
Complete the following steps in the AWS console.
- Log into your data account.
- Navigate to IAM > Roles.
- Click Create role.
- Click Another AWS account.
- In the Account ID field, type your control account ID.
- Click Next: Permissions > Next: Tags > Next: Review.
- In the Role Name field, type exactly the name of Create the AWSCloudFormationStackSetExecutionRole and click Create role.
- Click AWSCloudFormationStackSetExecutionRole. Click refresh if it is not available.
- Under the Permissions tab, click Add inline policy.
- Click the JSON tab.
- Copy and paste the Role Policy from the Data Manager UI, making sure to overwrite the text in the json text box.
The security warning is normal. No action is needed. - Click Review Policy.
- In the Name field, type any name of your choice, such as AWSCloudFormationStackSetExecutionRolePolicy.
The summary notice is normal. No action is needed. - Click Create policy.
- Repeat for each data account that you want added to this configuration.
Configure through the CLI
Prepare the terminal to use the AWS credentials that allow you to run the following CLI command against each data account. See AWS CLI Prerequisites.
- Create the AWSCloudFormationStackSetExecutionRole, replacing the
<CONTROL_ACCOUNT_ID>
variable with your control account ID:aws iam create-role --role-name AWSCloudFormationStackSetExecutionRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::<CONTROL_ACCOUNT_ID>:root"},"Action":"sts:AssumeRole","Condition":{}}]}'
- Create the inline policy for AWSCloudFormationStackSetExecutionRolePolicy and attach it to the role:
aws iam put-role-policy --policy-name AWSCloudFormationStackSetExecutionRolePolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}' --role-name AWSCloudFormationStackSetExecutionRole
Sample role policy and trust relationship
See the following sample role policy and trust relationship for the AWSCloudFormationStackSetExecutionRole role in each AWS Account
Role Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsPermissions", "Effect": "Allow", "Action": [ "Logs:CreateLogGroup", "Logs:DeleteLogGroup", "Logs:CreateLogStream", "Logs:DeleteLogStream" ], "Resource": [ "arn:aws:logs:*:<DATA_ACCOUNT_ID>:log-group:/aws/kinesisfirehose/SplunkDM*" ] }, { "Sid": "CloudFormationPermissions", "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": [ "arn:aws:cloudformation:*:<DATA_ACCOUNT_ID>:stack/StackSet-SplunkDM*/*" ] }, { "Sid": "IamPermissionsPermissions", "Effect": "Allow", "Action": [ "iam:*" ], "Resource": [ "arn:aws:iam::<DATA_ACCOUNT_ID>:policy/SplunkDM*", "arn:aws:iam::<DATA_ACCOUNT_ID>:role/SplunkDM*" ] }, { "Sid": "LambdaPermissions", "Effect": "Allow", "Action": [ "lambda:*" ], "Resource": [ "arn:aws:lambda:*:<DATA_ACCOUNT_ID>:function:SplunkDM*" ] }, { "Sid": "FirehosePermissions", "Effect": "Allow", "Action": [ "firehose:*" ], "Resource": [ "arn:aws:firehose:*:<DATA_ACCOUNT_ID>:deliverystream/SplunkDM*" ] }, { "Sid": "EventBridgePermissions", "Effect": "Allow", "Action": [ "events:*" ], "Resource": [ "arn:aws:events:*:<DATA_ACCOUNT_ID>:rule/SplunkDM*" ] } ] }
Trust Relationship
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<CONTROL_ACCOUNT_ID>:root" }, "Action": "sts:AssumeRole" } ] }
Create the SplunkDMReadOnly role in the control account
If this role already exists in the control account, the AWS admin can skip this step. If the role doesn't exist, then the AWS admin creates the SplunkDMReadOnly role in the control account. This role is needed in the control account for reading IAM user and CloudFormation StackSet status. Make sure that the AWS administrator replaces the account identifiers in the policy.
Configure through the console
Complete the following steps in the AWS console.
- Log into your control account.
- Navigate to IAM > Roles.
- Click Create role.
- Click Another AWS account.
- In the Account ID field, copy and paste the Splunk Cloud account ID from the Trust Relationship in the Data Manager UI. <For example, copy
123456789012
from the principal object:"Principal" : {"arn:aws:iam::'''123456789012''':role/cfgh-d12345-12345"}
- Click the Options check box for Require external ID.
- In the External ID field, copy and paste the
sts:Externald
from the Trust Relationship in the Data Manager UI. For example, copyffcbd123-1a234-123b-12c3-1234567890b
from the conditions object:"Conditions": {"StringEquals": {"sts:ExternalID": "'''ffcbd123-1a234-123b-12c3-1234567890b'''"}}
- In the External ID field, copy and paste the
- Click Next: Permissions > Next: Tags > Next: Review.
- In the Role Name field, type the name SplunkDMReadOnly and click Create role.
- Click SplunkDMReadOnly.
- Under the Permissions tab, click Add inline policy.
- Click theJSON tab.
- Overwrite the JSON text by copying and pasting the Role Policy from the Data Manager UI.
- Replace the <CONTROL_ACCOUNT_ID> variables with your control account ID.
- Click Review Policy.
- In the Name field, type any name of your choice, such as SplunkDMReadOnlyPolicy.
- Click Create policy.
- Under the Trust relationships tab, click Edit trust relationship.
- Update the AWS principal, such as "arn:aws:iam::123456789012:role/cfgh-d12345-12345" from the Data Manager UI.
- Click Update Trust Policy.
Configure through the CLI
Prepare the terminal to use the AWS credentials that allow you to run the following CLI command against your control account. For more information, see the AWS CLI Prerequisites topic in this manual.
- Create the SplunkDMReadOnly role, replacing the <CONTROL_ACCOUNT_ID> variables with your control account ID and replacing the
<EXTERNAL_ID>
variable from the Trust Relationship in the Data Manager UI:aws iam create-role --role-name SplunkDMReadOnly --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::<CONTROL_ACCOUNT_ID>:role/cfgh-d12345-12345"]},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"sts:ExternalId":"<EXTERNAL_ID>"}}}]}'
- Create the inline policy for SplunkDMReadOnlyPolicy and attach it to the role, replacing the
<CONTROL_ACCOUNT_ID>
variables with your control account ID:aws iam put-role-policy --policy-name SplunkDMReadOnlyPolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["iam:GetRole","iam:GetRolePolicy","iam:ListRolePolicies","iam:ListAttachedRolePolicies","iam:GetPolicy","iam:GetPolicyVersion","cloudformation:DescribeStackSet","cloudformation:DescribeStacks","cloudformation:ListStackInstances","cloudformation:ListStackSetOperations"],"Resource":["arn:aws:cloudformation:*:<CONTROL_ACCOUNT_ID>:stack/SplunkDM*/*","arn:aws:cloudformation:*:<CONTROL_ACCOUNT_ID>:stackset/SplunkDM*:*","arn:aws:iam::<CONTROL_ACCOUNT_ID>:role/AWSCloudFormationStackSetAdministrationRole","arn:aws:iam::<CONTROL_ACCOUNT_ID>:policy/*"]}]}' --role-name SplunkDMReadOnly
Sample role policy and trust relationship
See the following sample role policy and trust relationship for the SplunkDMReadOnly role in the Control Account
Role Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "cloudformation:DescribeStackSet", "cloudformation:DescribeStacks", "cloudformation:ListStackInstances", "cloudformation:ListStackSetOperations" ], "Resource": [ "arn:aws:cloudformation:*:<CONTROL_ACCOUNT_ID>:stack/SplunkDM*/*", "arn:aws:cloudformation:*:<CONTROL_ACCOUNT_ID>:stackset/SplunkDM*:*", "arn:aws:iam::<CONTROL_ACCOUNT_ID>:role/AWSCloudFormationStackSetAdministrationRole", "arn:aws:iam::<CONTROL_ACCOUNT_ID>:policy/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::sdm-dataingest-cft*" ] } ] }
Trust Relationship
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::390163525689:role/scdm-preview-51" }, "Condition": { "StringEquals": { "sts:ExternalId": "5bdef356-90fc-11ec-9f71-02ce6c1b0215" } } } ] }
Create the SplunkDMReadOnly role in the Data Accounts
Create a StackSet in your control account to push the SplunkDMReadOnly role to each of your data accounts. Download the CloudFormation Template that you will use in your control account to create a StackSet that will create this role in each data account. Select only one region for deployment, preferably US East (Virginia), but the region is your choice for the prerequisites. Do not deploy this template in more than one region. This role allows Splunk Cloud to read metadata from CloudTrail, Security Hub, GuardDuty, CloudFormation, Firehose, S3, lambda, events, and logs.
Configure through the console
Complete the following steps in the AWS console.
- Download the template from the Data Manager UI.
- Log into your control account.
- Navigate to CloudFormation > StackSets.
- Click Create StackSet from any region, preferably US East (Virginia).
- Click Template is ready.
- Click Upload a template file and choose the file you downloaded. File name cannot contain parenthesis.
- Click Next.
- Name the StackSet such as SplunkDMReadOnly, and click Next.
- Under Permissions, select the following:
- IAM role name: AWSCloudFormationStackSetAdministrationRole
- IAM execution role name: AWSCloudFormationStackSetExecutionRole
- Click Next.
- Under Account numbers, provide a comma-separated list of all your data account IDs.
- Under Specify regions, specify any region, preferably US East (Virginia).
- Under Deployment options, set the Maximum concurrent accounts to the number of data accounts that you're using.
- Click Next.
- Check the check box for I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- Click Submit.
Sample role policy and trust relationship
See the following sample role policy and trust relationship for the StackSet that will create the SplunkDMReadOnly Role in each AWS Account.
Role Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "guardduty:GetMasterAccount", "securityhub:ListMembers", "securityhub:GetMasterAccount", "securityhub:GetEnabledStandards", "securityhub:ListInvitations", "cloudformation:DescribeStacks" ], "Resource": [ "arn:aws:iam::<DATA_ACCOUNT_ID>:role/AWSCloudFormationStackSetExecutionRole", "arn:aws:iam::<DATA_ACCOUNT_ID>:role/SplunkDM*", "arn:aws:iam::<DATA_ACCOUNT_ID>:policy/*", "arn:aws:guardduty:*:<DATA_ACCOUNT_ID>:detector/*", "arn:aws:securityhub:*:<DATA_ACCOUNT_ID>:hub/default", "arn:aws:cloudformation:*:<DATA_ACCOUNT_ID>:stack/StackSet-SplunkDM*/*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudtrail:DescribeTrails", "access-analyzer:ListAnalyzers", "guardduty:ListDetectors", "guardduty:ListMembers", "guardduty:ListInvitations", "guardduty:GetFindingsStatistics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:DescribeSubscriptionFilters" ], "Resource": [ "arn:aws:logs:*:<DATA_ACCOUNT_ID>:log-group:*" ] }, { "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream" ], "Resource": [ "arn:aws:firehose:*:<DATA_ACCOUNT_ID>:deliverystream/SplunkDM*" ] }, { "Effect": "Allow", "Action": [ "events:DescribeRule" ], "Resource": [ "arn:aws:events:*:<DATA_ACCOUNT_ID>:rule/SplunkDM*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::splunkdmfailed*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "arn:aws:lambda:*:<DATA_ACCOUNT_ID>:function:SplunkDM*" ] } ] }
Trust Relationship
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::390163525689:role/scdm-preview-51" }, "Condition": { "StringEquals": { "sts:ExternalId": "5bdef356-90fc-11ec-9f71-02ce6c1b0215" } } } ] }
Configure AWS for onboarding from a single account | Configure Custom Logs in Data Manager |
This documentation applies to the following versions of Data Manager: 1.10.0
Feedback submitted, thanks!