SmartStore security strategies
SmartStore security strategies vary according to the type of remote storage service. This topic covers security when using S3 as the remote storage service.
Authenticate with the remote storage service
If the indexer or indexer cluster is running on EC2, use the access and secret keys from its IAM role.
If the indexer or indexer cluster is not running on EC2, use hardcoded keys in indexes.conf
. These are the relevant settings for hardcoding the S3 keys:
remote.s3.access_key
. Specifies the access key to use when authenticating with the remote storage system.remote.s3.secret_key
. Specifies the secret key to use when authenticating with the remote storage system.remote.s3.endpoint
. Specifies the URL of the remote storage system. This setting tells the indexer where to go for S3 authentication. Use the value for the S3 bucket region. For example,https://s3-us-west-2.amazonaws.com
.
For more information on these attributes, see the indexes.conf spec file.
The credentials you use, whether from the IAM role or from indexes.conf
, need permission to perform S3 operations. They also need permission to perform KMS operations, if you are encrypting data-at-rest on the remote store.
Manage SSL certifications for the remote store
The SSL certification settings vary according to the remote storage service type. This section provides information for managing SSL for an S3 remote store, using the settings provided in indexes.conf
. For more details on any of these settings, as well as for information on additional S3-related SSL settings, see the indexes.conf spec file.
The S3 SSL settings are overlaid on the sslConfig
stanza in server.conf
, except for sslVerifyServerCert
, sslAltNameToCheck
, and sslCommonNameToCheck
. Therefore, if you run into issues, consult the server.conf
SSL settings, in addition to the remote-storage-specific settings.
Specify SSL settings on a per-remote-volume basis.
The following table includes common attributes and their recommended values.
SSL setting | Description | Recommended value |
---|---|---|
remote.s3.sslVerifyServerCert
|
Specifies whether to check the server cert provided by the S3 endpoint. | true |
remote.s3.sslVersions
|
The SSL version to use. | tls1.2 |
remote.s3.sslAltNameToCheck
|
List of alternative names in the certificate presented by the server to match against. For example, s3.<region>.amazonaws.com .
|
N/A |
remote.s3.sslRootCAPath
|
Absolute path to the PEM format file containing list of root certificates. | N/A |
remote.s3.cipherSuite
|
Ciphers to use to connect with S3. | Check with your security experts. Here is an example of the type of value to enter for this attribute:
|
remote.s3.ecdhCurves
|
ECDH curves to send. | Check with your security experts. Here is an example of the type of value to enter for this attribute:
|
Encrypt the data on the remote store
SmartStore supports server-side encryption of data-at-rest on S3. SmartStore supports three encryption schemes through the remote.s3.encryption
attribute in indexes.conf
:
remote.s3.encryption = sse-s3 | sse-kms | sse-c | none
The default is "none".
Configure this attribute on a per-volume basis.
The recommended method for encryption on the remote store is sse-c (server-side encryption with customer keys). This method avoids running into throttling issues from KMS.
Choosing the encryption method is a one-time decision. You cannot change the encryption method later.
See the indexes.conf spec file for detailed information on each of these settings. Also, read the Amazon documentation for configuring server-side encryption.
Encryption occurs at the time of data upload. When you configure encryption for the remote volume, you do not cause data already on the volume to be encrypted.
If you disable encryption, you do not cause existing encrypted data to be decrypted. Any encrypted data becomes unusable, because Splunk Enterprise cannot decrypt it.
Encryption with sse-c
Here is an example of setting server-side encryption with customer keys:
[volume:example_volume] remote.s3.encryption = sse-c remote.s3.encryption.sse-c.key_type = kms remote.s3.encryption.sse-c.key_refresh_interval = 86400 // 86400 equals 24 hours. This is the default and recommended value. The minimum value is 3600. // Setting a very low value can degrade performance. remote.s3.kms.auth_region = <aws_region> remote.s3.kms.key_id = <kms_keyid> // The kms_keyid must be a unique key ID, the Amazon Resource Name (ARN) of the CMK, // or the name or ARN of an alias that points to the CMK. // SSL settings for KMS communication remote.s3.kms.sslVerifyServerCert = true remote.s3.kms.sslVersions = tls1.2 remote.s3.kms.sslAltNameToCheck = kms.<aws_region>.amazonaws.com remote.s3.kms.sslRootCAPath = $SPLUNK_HOME/etc/auth/kms_rootcert.pem remote.s3.kms.cipherSuite = ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256 remote.s3.kms.ecdhCurves = prime256v1, secp384r1, secp521r1
Encryption with sse-s3
Here is an example of setting server-side encryption with AES256:
[volume:example_volume] remote.s3.encryption = sse-s3
Encryption with sse-kms
Here is an example of setting server-side encryption with KMS-managed keys:
[volume:example_volume] remote.s3.encryption = sse-kms remote.s3.kms.key_id = <kms_keyid>
Choose the storage location for each index | Deploy SmartStore on a new indexer cluster |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6
Feedback submitted, thanks!