Data Manager

User Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Data Manager. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configure AWS for onboarding from a single account

You can use single account onboarding to ingest data from a single AWS account. Choose one account for use as both the management account and as the target account from which to ingest data. This one account allows you to create, update, and delete stack sets across multiple regions.

Create a SplunkDMReadOnly role

A SplunkDMReadOnly role allows Splunk Cloud to read metadata from your AWS events and logs.

Configure through the console

Complete the following steps in the AWS console.

  1. Log into your AWS account.
  2. Navigate to IAM > Roles.
  3. Click Create role.
  4. Click Another AWS account.
  5. In the Role Name field, type exactly the name of SplunkDMReadOnly and click Create role.
  6. Click SplunkDMReadOnly.
  7. Under the Permissions tab, click Add inline policy.
    1. Click the JSON tab.
    2. Overwrite the JSON text by copying and pasting the Role Policy from the Data Manager UI.
    3. Click Review Policy.
    4. In the Name field, type any name of your choice, such as SplunkDMReadOnlyPolicy.
    5. Click Create policy.
  8. Under the Trust relationships tab, click Edit trust relationship.
    1. Overwrite the JSON text by copying and pasting the Trust Relationship from the Data Manager UI.
    2. Replace the <DATA_ACCOUNT_ID> variables with your account ID.
    3. Click Update Trust Policy.

Configure through the CLI

Prepare the terminal to use the AWS credentials that allow you to run the following CLI command against your AWS account. See the AWS CLI Prerequisites topic in this manual.

  1. Create the SplunkDMReadOnly role, replacing the <EXTERNAL_ID> variable from the Trust Relationship in the Data Manager UI: 
    aws iam create-role --role-name SplunkDMReadOnly --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"sts:AssumeRole","Principal":{"AWS":"*"},"Condition":{"StringEquals":{"sts:ExternalId":"<EXTERNAL_ID>"}}}]}'
  2. Create the inline policy for SplunkDMReadOnlyPolicy and attach it to the role, replacing the <DATA_ACCOUNT_ID> variables with your AWS account ID from the Role Policy in the Data Manager UI: 
    aws iam put-role-policy --policy-name SplunkDMReadOnlyPolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["iam:GetRole","iam:PassRole","iam:GetRolePolicy"],"Resource":"arn:aws:iam::<DATA_ACCOUNT_ID>:role/SplunkDM*"},{"Effect":"Allow","Action":"guardduty:GetMasterAccount","Resource":"arn:aws:guardduty:*:<DATA_ACCOUNT_ID>:detector/*"},{"Effect":"Allow","Action":["securityhub:GetEnabledStandards","securityhub:GetMasterAccount"],"Resource":"arn:aws:securityhub:*:<DATA_ACCOUNT_ID>:hub/default"},{"Effect":"Allow","Action":"cloudformation:GetTemplate","Resource":"arn:aws:cloudformation:*:<DATA_ACCOUNT_ID>:stack/SplunkDM*/*"},{"Effect":"Allow","Action":["cloudtrail:DescribeTrails","cloudformation:DescribeStacks","guardduty:ListDetectors","access-analyzer:ListAnalyzers"],"Resource":"*"}]}' --role-name SplunkDMReadOnly

(Optional) Create an onboarding user

If you are the AWS admin and will be completing the AWS data onboarding, then you can use your admin privileges to complete the data onboarding steps. If you want a different user to continue with the onboarding, then create a user in the AWS account with the following permissions. The user can be created as an IAM user, IAM role, SAML user, or any of your company's AWS user creation policies. Make sure that this user has both AWS CLI and console access.

Configure through the console

As one example, consider the scenario of creating an IAM user to complete the data onboarding. To create an IAM user, complete the following steps in the AWS console.

  1. Log into your AWS account.
  2. Navigate to IAM > Users.
  3. Click Add user.
    1. In the User name field, type any name of your choice, such as OnboardingUser.
    2. For the Access type check box, select AWS Management Console access.
    3. For the Console password radio button, select the option of your choice.
    4. For the Required password reset check box, select User must create a new password at next sign-in.
    5. Click Next: Permissions.
  4. For Set permissions complete the following steps:
    1. Click Attach existing policies directly.
    2. Click Create policy.
    3. In the new browser window that opens, click the JSON tab.
    4. Overwrite the JSON text by copying and pasting the Permissions from the Data Manager UI.
    5. Replace the <DATA_ACCOUNT_ID> variables with your account ID.
    6. Click Next: Tags > Next: Review.
    7. In the Name field, type any name of your choice, such as OnboardingUserPolicy.
    8. Click Create policy.
  5. Go back to the previous tab, so that you see the set permissions section.
  6. Click the refresh icon.
  7. In the Filter policies field, search for your policy name.
  8. Select the check box for your policy.
  9. Click Next: Tags > Next: Review.
  10. Click Create user.
Last modified on 14 July, 2022
PREVIOUS
Onboard AWS in Data Manager 		  NEXT
Configure AWS for onboarding from multiple accounts

This documentation applies to the following versions of Data Manager: 1.6.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters