Prerequisites for troubleshooting AWS data ingestion
You must have the correct AWS credentials and permissions to troubleshoot problems in the Data Manager data onboarding process.
Single AWS account
Create an IAM role with the following IAM role policy in the single data account. Replace <DATA_ACCOUNT_ID>
with the correct AWS account ID that has been onboarded as the single account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion" ], "Resource": [ "arn:aws:iam::<DATA_ACCOUNT_ID>:role/SplunkDM*", "arn:aws:iam::<DATA_ACCOUNT_ID>:policy/*" ] }, { "Effect": "Allow", "Action": "guardduty:GetMasterAccount", "Resource": "arn:aws:guardduty:*:<DATA_ACCOUNT_ID>:detector/*" }, { "Effect": "Allow", "Action": [ "securityhub:GetEnabledStandards", "securityhub:GetMasterAccount", "securityhub:ListMembers", "securityhub:ListInvitations" ], "Resource": "arn:aws:securityhub:*:<DATA_ACCOUNT_ID>:hub/default" }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:GetTemplate" ], "Resource": "arn:aws:cloudformation:*:<DATA_ACCOUNT_ID>:stack/SplunkDM*/*" }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudtrail:DescribeTrails", "guardduty:ListDetectors", "guardduty:ListMembers", "guardduty:ListInvitations", "guardduty:GetFindingsStatistics", "access-analyzer:ListAnalyzers", "sqs:GetQueueUrl" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:DescribeSubscriptionFilters" ], "Resource": [ "arn:aws:logs:*:<DATA_ACCOUNT_ID>:log-group:*" ] }, { "Effect": "Allow", "Action": [ "firehose:DescribeDeliveryStream" ], "Resource": [ "arn:aws:firehose:*:<DATA_ACCOUNT_ID>:deliverystream/SplunkDM*" ] }, { "Effect": "Allow", "Action": [ "events:DescribeRule" ], "Resource": [ "arn:aws:events:*:<DATA_ACCOUNT_ID>:rule/SplunkDM*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::splunkdmfailed*", "arn:aws:s3:::sdm-dataingest-cft*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "arn:aws:lambda:*:<DATA_ACCOUNT_ID>:function:SplunkDM*" ] } ] }
Multiple AWS Accounts
If you are using multiple AWS accounts, you must have IAM roles for Control and Data accounts
Control Account
Create an IAM role with the following IAM role policy in the control account. Replace <CONTROL_ACCOUNT_ID>
with the correct AWS account ID for the control account in the Data Manager AWS multiple account input.
{ "Version": "2012-10-17", Statement: [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "cloudformation:DescribeStackSet", "cloudformation:DescribeStacks", "cloudformation:ListStackInstances", "cloudformation:ListStackSetOperations" ], "Resource": [ "arn:aws:cloudformation:*:<CONTROL_ACCOUNT_ID>:stack/SplunkDM*/*", "arn:aws:cloudformation:*:<CONTROL_ACCOUNT_ID>:stackset/SplunkDM*:*", "arn:aws:iam::<CONTROL_ACCOUNT_ID>:role/AWSCloudFormationStackSetAdministrationRole", "arn:aws:iam::<CONTROL_ACCOUNT_ID>:policy/*" ], }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::sdm-dataingest-cft*"] } ] }
Data Accounts
Create an IAM role with the following IAM role policy in all the data accounts. Replace <DATA_ACCOUNT_ID>
with the correct AWS data account ID for the data account in the Data Manager AWS multiple account input. If this IAM role is created in many accounts, then you must use the CloudFormation StackSet to create the role in all the data accounts.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "guardduty:GetMasterAccount", "securityhub:ListMembers", "securityhub:GetMasterAccount", "securityhub:GetEnabledStandards", "securityhub:ListInvitations", "cloudformation:DescribeStacks" ], "Resource": [ "arn:aws:iam::<DATA_ACCOUNT_ID>:role/AWSCloudFormationStackSetExecutionRole", "arn:aws:iam::<DATA_ACCOUNT_ID>:role/SplunkDM*", "arn:aws:iam::<DATA_ACCOUNT_ID>:policy/*", "arn:aws:guardduty:*:<DATA_ACCOUNT_ID>:detector/*", "arn:aws:securityhub:*:<DATA_ACCOUNT_ID>:hub/default", "arn:aws:cloudformation:*:<DATA_ACCOUNT_ID>:stack/StackSet-SplunkDM*/*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudtrail:DescribeTrails", "access-analyzer:ListAnalyzers", "guardduty:ListDetectors", "guardduty:ListMembers", "guardduty:ListInvitations", "guardduty:GetFindingsStatistics" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["logs:DescribeLogGroups", "logs:DescribeSubscriptionFilters"], "Resource": ["arn:aws:logs:*:<DATA_ACCOUNT_ID>:log-group:*"] }, { "Effect": "Allow", "Action": ["firehose:DescribeDeliveryStream"], "Resource": ["arn:aws:firehose:*:<DATA_ACCOUNT_ID>:deliverystream/SplunkDM*"] }, { "Effect": "Allow", "Action": ["events:DescribeRule"], "Resource": ["arn:aws:events:*:<DATA_ACCOUNT_ID>:rule/SplunkDM*"] }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::splunkdmfailed*"] }, { "Effect": "Allow", "Action": ["lambda:GetFunction"], "Resource": ["arn:aws:lambda:*:<DATA_ACCOUNT_ID>:function:SplunkDM*"] } ] }
Troubleshoot the HEC Configuration | Troubleshoot the AWS account prerequisites |
This documentation applies to the following versions of Data Manager: 1.3.1
Feedback submitted, thanks!