Onboard AWS in Data Manager
Data Manager helps you quickly set up multiple AWS accounts for data ingestion into your Splunk Cloud deployment.
Stages of onboarding
Data Manager walks you through various stages depending if you're onboarding a single AWS account or multiple AWS accounts.
The onboarding steps are described in detail within Data Manager. The details are not duplicated here. Wait for each step to finish, before attempting to continue on to the next step.
Onboard a single account
Onboarding a single AWS account consists of the following stages:
- Configure the AWS prerequisites in the data account.
- Configure the data account, regions, and data sources.
- Create a data ingestion CloudFormation stack in each region.
Onboard multiple accounts
Onboarding multiple AWS accounts consists of the following stages:
- Configure the AWS prerequisites in the control account and data accounts.
- Configure the control account, data accounts, regions, and data sources.
- Create a control account CloudFormation StackSet to manage the data accounts.
- Create data account CloudFormation stack instances per region.
Use cases for the AWS data input in Data Manager
Use the AWS data input in Data Manager to collect data on Amazon Web Services. The AWS data input in Data Manager offers pretested add-on inputs for multiple use cases.
See the following table for use cases and corresponding collection methods:
Use case | Add-on inputs |
---|---|
Use the AWS data input in Data Manager to push CloudTrail log data to the Splunk platform. CloudTrail allows you to audit your AWS account. |
|
Use the AWS data input in Data Manager to push IT and performance data on your Amazon Web Service into the Splunk platform. |
|
Use the AWS data input in Data Manager to push security data on your Amazon Web Service into the Splunk platform. |
|
Summary of CloudFormation stack templates
A high-level summary of CloudFormation stack templates follows.
The onboarding steps are described in detail within Data Manager. The details are not duplicated here.
- Splunk provides CloudFormation templates to establish the stack set execution role and the Data Manager read role.
- The read role allows Splunk to read metadata from CloudTrail, SecurityHub, GuardDuty, CloudFormation, Firehose, S3, Lambda, events, and logs.
- The template also creates five other IAM roles to allow Firehose, CloudWatch, Lambda, S3, logs, and events to interact amongst themselves.
- You apply the templates.
Deploy CloudFormation templates
Data Manager uses us-east-1 to set up resources, such as IAM Roles, that do not need to be configured in all the regions that you select for data onboarding. When creating and deleting resources, the resources in us-east-1 are created first and they are deleted last. The CloudFormation templates automatically create a stack or stackset in the us-east-1 region for data ingestion.
Deploying templates takes approximately ten minutes.
- Splunk provides a nested stack set template, which takes a couple of minutes to prepare.
- You download the template when the download button is enabled.
- You apply the template in the control account to start setting up resources across all the list of data accounts, for data ingestion into Splunk through the Firehose.
- Data starts flowing within five minutes.
Wait for the stack to reach the CREATE_COMPLETE
status. This indicates a successful stack creation.
The template preparation period varies depending on the number of data sources you selected during onboarding. After you specify the data sources that need to be onboarded, the backend synchronously creates one HTTP Event Collector (HEC) token for every dataset as part of the final download ingest templates operation.
You see this as a disabled download button in the UI until all the tokens are created. If you hover over the download button, you see the message regarding template preparation. There is also an information banner with status and tips. The template download button is enabled when all tokens are created for data ingestion through the Firehose.
Click Finish to navigate to the Data Management home page and see your data input.
Summary of CloudFormation template resources
The following table displays the resources that are deployed on your AWS deployment by the CloudFormation template.
Resource name | Description |
---|---|
Amazon Kinesis | An AWS-specific big data streaming platform and event ingestion service. |
AWS Lambda | A serverless compute service that runs code on demand, without needing to host it on a server and managing infrastructure. |
Amazon S3 | A storage account contains AWS Storage data objects, including storage blobs. The storage account provides a unique namespace for your AWS Storage data. |
AWS IAM Role | The Data Manager CloudFormation template deploys a role to give the service principal created permissions that are used to read the metadata of the AWS account and AWS resources that are created during the deployment of the CloudFormation template. These resources are used by Data Manager to make recommendations during onboarding. |
AWS prerequisites for Data Manager | Configure AWS for onboarding from a single account |
This documentation applies to the following versions of Data Manager: 1.7.0
Feedback submitted, thanks!