Troubleshoot AWS IAM Access Analyzer data ingestion

Troubleshoot the AWS IAM Access Analyzer data ingestion process.

IAM Access Analyzer data cannot be found

AWS Access Analyzer data cannot be found

Cause

AWS IAM Access Analyzer is not enabled or is not configured correctly, or Splunk HEC is not configured correctly.

Solution

1. Log in to the AWS account, and select the region.
2. Navigate to IAM Console, and check if IAM Access Analyzer is enabled in the region of the AWS account you are trying to get data from. See the Enabling Access Analyzer section of the Getting started with AWS IAM Access Analyzer manual in the AWS documentation for more information.
3. If IAM Access Analyzer is already created and you still still don't see the events you are looking for, check the Splunk side HEC configuration. See the HTTP Event Collector (HEC) configuration reference topic in this manual to troubleshoot Splunk software-side HEC configurations.
4. If the HEC token is present and is enabled,, navigate to IAM Access Analyzer on your AWS account and check if you have any findings.
5. If there are findings and data is not flowing to your Splunk Cloud deployment, in AWS, navigate to EventBridge > Rules in the same region and check if SplunkDMIAMAccessAnalyzerDeliveryStream exists.
6. In AWS, navigate to Kinesis > Delivery streams, and check for SplunkDMIAMAccessAnalyzerDeliveryStream.
7. If the SplunkDMIAMAccessAnalyzerDeliveryStream stream exists, navigate to the Monitoring tab and see if events are being generated in AWS.
8. For debugging issues during AWS Kinesis Firehose stream, refer to Troubleshoot AWS Kinesis Firehose data ingestion.
9. If you are still facing issues, delete the data input in Data Manager and recreate it.
10. If the configuration is correct and your data still cannot be found, Contact Splunk Support.