Create the Amazon Security Lake subscriber for federated search access

This topic covers the second part of the Create subscribers step of the workflow for creating an Amazon Security Lake federated provider. You cannot follow this step until you complete the steps that precede it in the federated provider setup workflow. See the checklist of tasks to set up Federated Analytics.

To give Federated Analytics the capacity to run federated searches over the remote datasets that are collected in your Amazon Security Lake account, you must define an Amazon Security Lake subscriber that provides federated search access.

Setting up an Amazon Security Lake subscriber to grant federated search access to your Federated Analytics federated provider requires that you do the following things:

• First, create an Amazon Security Lake subscriber for federated search access. As you do so, link your Federated Analytics federated provider to that Amazon Security Lake subscriber.
  • In Amazon Security Lake, open a form for a new subscriber for Lake Formation query access.
  • In Federated Analytics, copy the values of the Splunk's AWS account and External ID fields from the Create subscribers page into corresponding fields on the Amazon Security Lake subscriber form.
  • Create the Amazon Security Lake subscriber for Lake Formation query access.
• Second, link the Amazon Security Lake subscriber for federated search access to your federated provider.
  • In Amazon Security Lake, copy the values of the Resource Share name and Resource Share ARN fields in the detail page of the subscriber you just created.
  • In Federated Analytics, paste those values into the corresponding Resource Share name and Resource Share ARN fields on the Create subscribers page of your federated provider definition.

Prerequisites

• You must have an AWS account with Amazon Security Lake activated. Your Amazon Security Lake must be in the same AWS Region as your Splunk Cloud Platform deployment.

To allow an Amazon Security Lake subscriber for federated search access to use source data from multiple regions, you can specify the Region where you create the subscriber as a rollup Region and have other AWS Regions contribute data to it. Your Splunk Cloud Platform deployment must belong to the rollup Region.

• Create only one Amazon Security Lake subscriber for federated search access between your Amazon Security Lake AWS account and the AWS account to which your Splunk Cloud Platform deployment belongs.

For example, say your Amazon Security Lake information is on an AWS account named 123 and your Splunk Cloud Platform deployment is on an AWS account named 456. If you already have an Amazon Security Lake subscriber for federated search access that connects AWS account 123 and AWS account 456, you cannot create a second Amazon Security Lake subscriber for federated search access that also connects those two AWS accounts.

• Do not reuse an existing Amazon Security Lake subscriber for federated search access.

If you have an Amazon Security Lake subscriber for federated search access in use for an Amazon Security Lake federated provider, and you try to reuse that subscriber for a new Amazon Security Lake federated provider, your attempt to create that new federated provider will fail.

• Verify that your AWS role has the necessary IAM policies and permissions for subscriber creation, including Lake Formation administrator permissions. Contact your AWS administrator if you need assistance.

For more information about rollup Regions and Contributing regions, see Managing Regions in the Amazon Security Lake User Guide.

For more information about managing AWS roles and permissions, contact your AWS administrator, or see Managing data access for Security Lake subscribers in the Amazon Security Lake User Guide.

Steps

1. On your Splunk Cloud Platform deployment, in Splunk Web, on the Create subscribers page of the Add a new federated provider workflow, note the value of the AWS region field. This is the AWS Region of your Splunk Cloud Platform deployment.
2. In the Amazon Security Lake console, use the AWS Region drop-down in the upper-right corner of the page to select the AWS Region to which your Splunk Cloud Platform deployment belongs.

   If your Splunk Cloud Platform deployment's AWS Region contributes to a rollup Region, and you want to be able to search data from the regions represented by the rollup region, select that rollup Region.

3. Follow the instructions at Creating a subscriber with query access in Security Lake in the Amazon Security Lake User Guide to create a subscriber with federated search access.
   
   While defining the subscriber with query access in the Security Lake console, take note of the following things:
   • Contrary to the note that appears when you select Lake Formation as your data access method, you do not need to visit the AWS Resource Access Manager console to accept the resource share, and you do not have to go to the Lake Formation console to set up cross-account table sharing. Splunk software takes care of these things for you.
   • You are restricted to 10 sources. If you select Specific log and event sources and identify more than 10 sources, you will receive an error message when you try to create the subscriber.
   
   In the Subscriber credentials section of the Create subscriber form, copy and paste in two values from the Create subscribers page of the Add a new federated provider workflow in Splunk Web. Select the copy icon () for each field to ensure an accurate copy and paste operation.
   • Copy the value for the federated provider's Splunk's AWS account field. Paste this value into the Account ID field for the Amazon Security Lake subscriber for federated search access.
   • Copy the value for the federated provider's External ID field. Paste this value into the External ID field for the Amazon Security Lake subscriber for federated search access.
   
   

   The External ID for the Amazon Security Lake subscriber for federated search access is different from the External ID for the Amazon Security Lake Subscriber for data ingest. Do not use the data ingest subscriber External ID for the federated search subscriber.

4. After you create the Amazon Security Lake subscriber for search access, open its detail page by selecting its name in the My subscribers list.
5. In the Create subscribers page of the Add a new federated provider workflow in Splunk Web, copy and paste in two values from the detail page for the Amazon Security Lake subscriber for federated search access. Select the copy icon () where it is available to ensure an accurate copy and paste operation.
   • Copy the value for the Resource share name field of the Amazon Security Lake subscriber for federated search access. Paste this value into your federated provider's Resource share name field. The Resource share name must end with the External ID that you supplied to the subscriber form.
   • Copy the value for the Resource share ARN field of the Amazon Security Lake subscriber for federated search access. Paste this value into the federated provider's Resource share ARN field.
6. Select I confirm that my AWS Glue Data Catalog resources reside in the same AWS region.
7. Select Continue to move on to the Define provider step, where you will obtain the AWS Glue data catalog database and tables for the federated provider. See Obtain the AWS Glue Data Catalog database and tables.

After you finish setting up the Amazon Security Lake subscriber for federated search access, you must move on to and complete the Define provider step before 12 hours elapse. If you fail to complete the Define provider step within this 12 hour window, the resource share you create in this step will expire and you will have to set up your Amazon Security Lake subscriber for federated search access all over again.