Data Manager

Troubleshooting Manual

Prerequisites for troubleshooting AWS data ingestion

You must have the correct AWS credentials and permissions to troubleshoot problems in the Data Manager data onboarding process.

Single AWS account

Create an IAM role with the following IAM role policy in the single data account. Replace <DATA_ACCOUNT_ID> with the correct AWS account ID that has been onboarded as the single account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "iam:GetRolePolicy",
        "iam:ListRolePolicies",
        "iam:ListAttachedRolePolicies",
        "iam:GetPolicy",
        "iam:GetPolicyVersion"
      ],
      "Resource": [
        "arn:aws:iam::<DATA_ACCOUNT_ID>:role/SplunkDM*",
        "arn:aws:iam::<DATA_ACCOUNT_ID>:policy/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "guardduty:GetMasterAccount",
      "Resource": "arn:aws:guardduty:*:<DATA_ACCOUNT_ID>:detector/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "securityhub:GetEnabledStandards",
        "securityhub:GetMasterAccount",
        "securityhub:ListMembers",
        "securityhub:ListInvitations"
      ],
      "Resource": "arn:aws:securityhub:*:<DATA_ACCOUNT_ID>:hub/default"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:DescribeStacks",
        "cloudformation:GetTemplate"
      ],
      "Resource": "arn:aws:cloudformation:*:<DATA_ACCOUNT_ID>:stack/SplunkDM*/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricStatistics",
        "cloudtrail:DescribeTrails",
        "guardduty:ListDetectors",
        "guardduty:ListMembers",
        "guardduty:ListInvitations",
        "guardduty:GetFindingsStatistics",
        "access-analyzer:ListAnalyzers",
        "sqs:GetQueueUrl"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeSubscriptionFilters"
      ],
      "Resource": [
        "arn:aws:logs:*:<DATA_ACCOUNT_ID>:log-group:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "firehose:DescribeDeliveryStream"
      ],
      "Resource": [
        "arn:aws:firehose:*:<DATA_ACCOUNT_ID>:deliverystream/SplunkDM*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:DescribeRule"
      ],
      "Resource": [
        "arn:aws:events:*:<DATA_ACCOUNT_ID>:rule/SplunkDM*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::splunkdmfailed*",
        "arn:aws:s3:::sdm-dataingest-cft*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunction"
      ],
      "Resource": [
        "arn:aws:lambda:*:<DATA_ACCOUNT_ID>:function:SplunkDM*"
      ]
    }
  ]
}

Multiple AWS Accounts

If you are using multiple AWS accounts, you must have IAM roles for Control and Data accounts

Control Account

Create an IAM role with the following IAM role policy in the control account. Replace <CONTROL_ACCOUNT_ID> with the correct AWS account ID for the control account in the Data Manager AWS multiple account input.

{
    "Version": "2012-10-17",
    Statement: [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "cloudformation:DescribeStackSet",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackInstances",
                "cloudformation:ListStackSetOperations"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:<CONTROL_ACCOUNT_ID>:stack/SplunkDM*/*",
                "arn:aws:cloudformation:*:<CONTROL_ACCOUNT_ID>:stackset/SplunkDM*:*",
                "arn:aws:iam::<CONTROL_ACCOUNT_ID>:role/AWSCloudFormationStackSetAdministrationRole",
                "arn:aws:iam::<CONTROL_ACCOUNT_ID>:policy/*"
            ],
        },
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::sdm-dataingest-cft*"]
        }
    ]
}

Data Accounts

Create an IAM role with the following IAM role policy in all the data accounts. Replace <DATA_ACCOUNT_ID> with the correct AWS data account ID for the data account in the Data Manager AWS multiple account input. If this IAM role is created in many accounts, then you must use the CloudFormation StackSet to create the role in all the data accounts.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "guardduty:GetMasterAccount",
                "securityhub:ListMembers",
                "securityhub:GetMasterAccount",
                "securityhub:GetEnabledStandards",
                "securityhub:ListInvitations",
                "cloudformation:DescribeStacks"
            ],
            "Resource": [
                "arn:aws:iam::<DATA_ACCOUNT_ID>:role/AWSCloudFormationStackSetExecutionRole",
                "arn:aws:iam::<DATA_ACCOUNT_ID>:role/SplunkDM*",
                "arn:aws:iam::<DATA_ACCOUNT_ID>:policy/*",
                "arn:aws:guardduty:*:<DATA_ACCOUNT_ID>:detector/*",
                "arn:aws:securityhub:*:<DATA_ACCOUNT_ID>:hub/default",
                "arn:aws:cloudformation:*:<DATA_ACCOUNT_ID>:stack/StackSet-SplunkDM*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudtrail:DescribeTrails",
                "access-analyzer:ListAnalyzers",
                "guardduty:ListDetectors",
                "guardduty:ListMembers",
                "guardduty:ListInvitations",
                "guardduty:GetFindingsStatistics"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["logs:DescribeLogGroups", "logs:DescribeSubscriptionFilters"],
            "Resource": ["arn:aws:logs:*:<DATA_ACCOUNT_ID>:log-group:*"]
        },
        {
            "Effect": "Allow",
            "Action": ["firehose:DescribeDeliveryStream"],
            "Resource": ["arn:aws:firehose:*:<DATA_ACCOUNT_ID>:deliverystream/SplunkDM*"]
        },
        {
            "Effect": "Allow",
            "Action": ["events:DescribeRule"],
            "Resource": ["arn:aws:events:*:<DATA_ACCOUNT_ID>:rule/SplunkDM*"]
        },
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::splunkdmfailed*"]
        },
        {
            "Effect": "Allow",
            "Action": ["lambda:GetFunction"],
            "Resource": ["arn:aws:lambda:*:<DATA_ACCOUNT_ID>:function:SplunkDM*"]
        }
    ]
}
Last modified on 05 September, 2024
Troubleshoot the HEC Configuration   Troubleshoot the AWS account prerequisites

This documentation applies to the following versions of Data Manager: 1.11.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters