Configure the Splunk Add-on for AWS

Before configuring your Splunk platform deployment to work with your AWS data, make sure that your AWS deployment is properly configured to send data.

Prerequisites

• You must have administrator access to your AWS account. If you do not have necessary permissions, work with an AWS administrator to complete the tasks described in this manual.

If your account is in the AWS China region, the add-on only supports the services that AWS supports in that region. For an up-to-date list of what products and services are supported in this region, see AWS China Products or AWS product services.

If your account is in the AWS GovCloud region, the add-on only supports the services that AWS supports in that region. For an up-to-date list of what services and endpoints are supported in this region, see the AWS GovCloud User Guide

Configure AWS Config

The Splunk Add-on for AWS collects events from a Simple Queue Service (SQS) that subscribes to the Simple Notification Service (SNS) notification events from AWS Config. Configure AWS Config to produce SNS notifications, and then create the SQS that the add-on can access. For more information about AWS Config, see the AWS Config documentation.

1. Enable AWS Config by following the AWS Config setup guide.
2. Specify a new S3 bucket to save the data and an SNS Topic to which Splunk software will stream Config notifications. Do not use an existing bucket or SNS.
3. Verify that you have successfully completed the setup process. If you used the AWS console, the Resource Lookup page displays.
4. Create a new SQS.
5. Subscribe the SQS exclusively to the SNS Topic that you created in Step 2.
6. Grant IAM permissions to access the S3 bucket and SQS to the AWS account that the add-on uses to connect to your AWS environment.

Before you can configure Splunk Cloud or Splunk Enterprise to work with your AWS data, you must set up accounts in Amazon Web Services.

Create an IAM role and assign it to your AWS account

To configure AWS accounts and permissions, you must have administrator rights in the AWS Management Console. If you do not have administrator access, work with your AWS admin to set up the accounts with the required permissions.

• To let the Splunk Add-on for Amazon Web Services access the data in your AWS account, you assign an IAM role to one or more AWS accounts. You then grant those roles the permissions that are required by the AWS account.
• If you run this add-on on a Splunk platform instance in your own managed Amazon Elastic Compute Cloud (EC2), then assign that EC2 to a role and give that role the IAM permissions listed here.

Manage IAM policies

There are three ways to manage policies for your IAM roles:

• Use the AWS Policy Generator tool to collect all permissions into one centrally managed policy. You can apply the policy to the IAM group that is used by the user accounts or the EC2s that the Splunk Add-on for AWS uses to connect to your AWS environment.
• Create multiple different users, groups, and roles with permissions specific to the services from which you plan to collect data.
• Copy and paste the sample policies provided on this page and apply them to an IAM Group as custom inline policies. To further specify the resources to which the policy grants access, replace the wildcards with the exact Amazon Resource Names (ARNs) of the resources in your environment.

For more information about working with inline policies, see Managing IAM Policies in the AWS documentation.

Configure AWS permissions for the Config input

Set the following permissions in your AWS configuration:

• For the S3 bucket that collects your Config logs:
  • GetObject
  • GetBucketLocation
  • ListBucket
  • ListAllMyBuckets

• For the SQS subscribed to the SNS Topic that collects Config notifications:
  • GetQueueAttributes
  • ListQueues
  • ReceiveMessage
  • GetQueueUrl
  • SendMessage
  • DeleteMessage

• For the Config snapshots: DeliverConfigSnapshot

• For the IAM user to get the Config snapshots: GetUser

See the following sample inline policy to configure Config input permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow", 
            "Action": [
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "sqs:SendMessage",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "config:DeliverConfigSnapshot" 
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

For more information and sample policies, see the following AWS documentation:

• For SQS, see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/UsingIAM.html.
• For S3, see http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html.

Manage your accounts, proxy connections, and log levels for the Splunk Add-on for AWS on your data collection node.

The Splunk Add-on for AWS supports two ways to interact with AWS to collect data:

• Using EC2 (Elastic Compute Cloud) IAM (Identity and Access Management) roles.
• Using AWS user accounts.

Discover an EC2 IAM role

To run a data collection node on your Splunk platform in your own managed AWS environment using commercial regions, set up an IAM role for the EC2, then use that role to configure data collection jobs. The Splunk Add-on for AWS automatically discovers this role once it is set up.

Collecting data using an auto-discovered EC2 IAM role is not supported in the AWS China region.

1. Follow the AWS documentation to set up an IAM role for your EC2: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html.
2. Ensure that this role has adequate permissions. If you do not give this role all of the permissions required for all inputs, configure AWS accounts specific to inputs not covered by the permissions for this role.
3. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar..
4. Click Configuration in the app navigation bar. By default, the add-on displays the Account tab.
5. Look for the EC2 IAM role in the Autodiscovered IAM Role column. If you are in your own managed AWS environment and have an EC2 IAM role configured, it appears in this account list automatically.

You can also configure AWS accounts if you want to use both EC2 IAM roles and user accounts to ingest your AWS data.

You cannot edit or delete EC2 IAM roles from the add-on.

Add and manage AWS accounts

Perform the following steps to add an AWS account:

1. In the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
2. Click Configuration in the app navigation bar. The add-on displays the Account tab.
3. Click Add.
4. Name the AWS account. You cannot change this name once you configure the account.
5. Enter the Key ID and Secret Key credentials for the AWS account that the Splunk platform uses to access your AWS data. The accounts that you configure must have the necessary permissions to access the AWS data that you want to collect.
6. Select the Region Category for the account. The most common category is Global.
7. Click Add.

Edit existing accounts by clicking Edit in the Actions column.

Delete an existing account by clicking Delete in the Actions column. You cannot delete accounts that are associated with any inputs, even if those inputs are disabled. To delete an account, delete the inputs or edit them to use a different account and then delete the account.

To use custom commands and alert actions, you must set up at least one AWS account on your Splunk platform deployment search head or search head cluster.

Add and manage IAM roles

Use the Configuration menu in the Splunk Add-on for AWS to manage AWS IAM roles that can be assumed by IAM users. Adding IAM roles lets the Splunk Add-on for AWS access the following AWS resources:

• Generic S3
• Incremental S3
• SQS-based S3
• Billing
• Description
• Metadata
• CloudWatch
• Kinesis

Add an IAM role

Use the following steps to add an IAM role:

1. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
2. Click Configuration in the app navigation bar, and then click the IAM Role tab.
3. Click Add.
4. In the Name field, name the role to be assumed by authorized AWS accounts managed on the Splunk platform. You cannot change the name once you configure the role.
5. In the ARN field, enter the role's Amazon Resource Name in the valid format: arn:aws:iam::<aws_resource_id>:role/<role_name>.
6. Click Add.

Click Edit in the Actions column to edit existing IAM roles.

Click Delete in the Actions column to delete an existing role. You cannot delete roles associated with any inputs, even if those inputs are disabled. To delete an account, delete the inputs or edit them to use a different assumed role and then delete the role.

Configure a proxy connection

1. On the Splunk Web home page, click Splunk Add-on for AWS in the left navigation bar.
2. Click Configuration in the app navigation bar.
3. Click the Proxy tab.
4. Select the Enable box to enable the proxy connection and fill in the fields required for your proxy.
5. Click Save.

To disable your proxy but save your configuration, uncheck the Enable box. The add-on stores your proxy configuration so that you can enable it later.

To delete your proxy configuration, delete the values in the fields.