Configure the Splunk Add-on for AWS
Before configuring your Splunk platform deployment to work with your AWS data, make sure that your AWS deployment is properly configured to send data.
Prerequisites
- You must have administrator access to your AWS account. If you do not have necessary permissions, work with an AWS administrator to complete the tasks described in this manual.
If your account is in the AWS China region, the add-on only supports the services that AWS supports in that region. For an up-to-date list of what products and services are supported in this region, see AWS China Products or AWS product services.
If your account is in the AWS GovCloud region, the add-on only supports the services that AWS supports in that region. For an up-to-date list of what services and endpoints are supported in this region, see the AWS GovCloud User Guide
Configure AWS Config
The Splunk Add-on for AWS collects events from a Simple Queue Service (SQS) that subscribes to the Simple Notification Service (SNS) notification events from AWS Config. Configure AWS Config to produce SNS notifications, and then create the SQS that the add-on can access. For more information about AWS Config, see the AWS Config documentation.
- Enable AWS Config by following the AWS Config setup guide.
- Specify a new S3 bucket to save the data and an SNS Topic to which Splunk software will stream Config notifications. Do not use an existing bucket or SNS.
- Verify that you have successfully completed the setup process. If you used the AWS console, the Resource Lookup page displays.
- Create a new SQS.
- Subscribe the SQS exclusively to the SNS Topic that you created in Step 2.
- Grant IAM permissions to access the S3 bucket and SQS to the AWS account that the add-on uses to connect to your AWS environment.
Before you can configure Splunk Cloud or Splunk Enterprise to work with your AWS data, you must set up accounts in Amazon Web Services.
Create an IAM role and assign it to your AWS account
To configure AWS accounts and permissions, you must have administrator rights in the AWS Management Console. If you do not have administrator access, work with your AWS admin to set up the accounts with the required permissions.
- To let the Splunk Add-on for Amazon Web Services access the data in your AWS account, you assign an IAM role to one or more AWS accounts. You then grant those roles the permissions that are required by the AWS account.
- If you run this add-on on a Splunk platform instance in your own managed Amazon Elastic Compute Cloud (EC2), then assign that EC2 to a role and give that role the IAM permissions listed here.
Manage IAM policies
There are three ways to manage policies for your IAM roles:
- Use the AWS Policy Generator tool to collect all permissions into one centrally managed policy. You can apply the policy to the IAM group that is used by the user accounts or the EC2s that the Splunk Add-on for AWS uses to connect to your AWS environment.
- Create multiple different users, groups, and roles with permissions specific to the services from which you plan to collect data.
- Copy and paste the sample policies provided on this page and apply them to an IAM Group as custom inline policies. To further specify the resources to which the policy grants access, replace the wildcards with the exact Amazon Resource Names (ARNs) of the resources in your environment.
For more information about working with inline policies, see Managing IAM Policies in the AWS documentation.
Configure AWS permissions for the Config input
Set the following permissions in your AWS configuration:
- For the S3 bucket that collects your Config logs:
GetObject
GetBucketLocation
ListBucket
ListAllMyBuckets
- For the SQS subscribed to the SNS Topic that collects Config notifications:
GetQueueAttributes
ListQueues
ReceiveMessage
GetQueueUrl
SendMessage
DeleteMessage
- For the Config snapshots:
DeliverConfigSnapshot
- For the IAM user to get the Config snapshots:
GetUser
See the following sample inline policy to configure Config input permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:SendMessage", "sqs:GetQueueUrl", "sqs:DeleteMessage" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "config:DeliverConfigSnapshot" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": [ "*" ] } ] }
For more information and sample policies, see the following AWS documentation:
- For SQS, see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/UsingIAM.html.
- For S3, see http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html.
Manage your accounts, proxy connections, and log levels for the Splunk Add-on for AWS on your data collection node.
The Splunk Add-on for AWS supports two ways to interact with AWS to collect data:
- Using EC2 (Elastic Compute Cloud) IAM (Identity and Access Management) roles.
- Using AWS user accounts.
Add and manage AWS accounts
Perform the following steps to add an AWS account:
- In the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
- Click Configuration in the app navigation bar. The add-on displays the Account tab.
- Click Add.
- Name the AWS account. You cannot change this name once you configure the account.
- Enter the Key ID and Secret Key credentials for the AWS account that the Splunk platform uses to access your AWS data. The accounts that you configure must have the necessary permissions to access the AWS data that you want to collect.
- Select the Region Category for the account. The most common category is Global.
- Click Add.
Edit existing accounts by clicking Edit in the Actions column.
Delete an existing account by clicking Delete in the Actions column. You cannot delete accounts that are associated with any inputs, even if those inputs are disabled. To delete an account, delete the inputs or edit them to use a different account and then delete the account.
To use custom commands and alert actions, you must set up at least one AWS account on your Splunk platform deployment search head or search head cluster.
Add and manage IAM roles
Use the Configuration menu in the Splunk Add-on for AWS to manage AWS IAM roles that can be assumed by IAM users. Adding IAM roles lets the Splunk Add-on for AWS access the following AWS resources:
- Generic S3
- Incremental S3
- SQS-based S3
- Billing
- Description
- Metadata
- CloudWatch
- Kinesis
Add an IAM role
Use the following steps to add an IAM role:
- On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
- Click Configuration in the app navigation bar, and then click the IAM Role tab.
- Click Add.
- In the Name field, name the role to be assumed by authorized AWS accounts managed on the Splunk platform. You cannot change the name once you configure the role.
- In the ARN field, enter the role's Amazon Resource Name in the valid format:
arn:aws:iam::<aws_resource_id>:role/<role_name>
. - Click Add.
Click Edit in the Actions column to edit existing IAM roles.
Click Delete in the Actions column to delete an existing role. You cannot delete roles associated with any inputs, even if those inputs are disabled. To delete an account, delete the inputs or edit them to use a different assumed role and then delete the role.
Configure a proxy connection
- On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
- Click Configuration in the app navigation bar.
- Click the Proxy tab.
- Select the Enable box to enable the proxy connection and fill in the fields required for your proxy.
- Click Save.
To disable your proxy but save your configuration, uncheck the Enable box. The add-on stores your proxy configuration so that you can enable it later.
To delete your proxy configuration, delete the values in the fields.
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1
Feedback submitted, thanks!