Splunk® Light

Installation Manual

Download manual as PDF

Download topic as PDF

Get started with the Splunk App for AWS

The Splunk App for AWS provides end-to-end insights for security, operational, and cost management aspects for your AWS environment. The app includes:

  • A knowledge base of dashboards, reports, and alerts that deliver real-time visibility into your environment
  • Data inputs for your AWS Config, Config Rules, CloudWatch, CloudTrail, Billing, S3, VPC Flow Log, Inspector, and Metadata inputs
  • A logical topology dashboard that displays your entire AWS infrastructure

Follow the steps in this topic to configure your AWS account and the Splunk App for AWS.

Plan and review prerequisites

Review the following prerequisites before you install and configure the Splunk App for AWS:

  • You need AWS Admin role permissions.
  • Determine the IAM policy you will use for data collection:
    • EC2 Role (more secure): Attach an EC2 role to the Splunk App for AWS.
    • IAM AssumeRole (more secure): Grant a primary AWS account access to collect data from multiple sub-accounts using AssumeRole API.
    • IAM Access Key (less secure): Enter an AWS user Secret Key ID and Secret Key as a new account in the Splunk App for AWS.
  • Ensure that you have enough disk space available for data collection and retention. For best performance, consider adding Amazon Elastic Block Store (Amazon EBS) which provides network-attached storage (NAS) for use with your EC2 instances. For more information about Amazon EBS Volumes, see Amazon EBS Volumes on the AWS website.

Configure services in the AWS Management Console

In order for the Splunk App for AWS to collect data from your AWS account, you must first enable or configure the services that produce the data (AWS Config, CloudTrail, etc.). Be sure to enable all AWS services, otherwise some of the dashboards in the Splunk App for AWS will not fully populate.

For information about configuring AWS services, see Configure AWS services for the Splunk Add-on for AWS.

Install the App and Add-on

Skip this step if you are configuring the Splunk Insights for AWS Cloud Monitoring AMI. The AMI includes the App and Add-on.

You must install the Add-on for the App to function. If you have a Splunk Light on-premises or cloud instance, perform the following steps:

  1. Install the Splunk Add-on for AWS.
    1. In Splunk Light, go to the sidebar menu and select Data > Apps and Add-ons.
    2. Find the Splunk Add-on for AWS and click Install.
    3. Enter your splunk.com username and password.
    4. Select that you have read the terms and conditions of the license agreement.
    5. Click Login and install.
    6. Restart Splunk Light. The add-on shows as enabled.
  2. Install the Splunk App for AWS.
    1. In Splunk Light, go to the sidebar menu and select Data > Apps and Add-ons.
    2. Find the Splunk App for AWS and click Install.
    3. Enter your splunk.com username and password.
    4. Select that you have read the terms and conditions of the license agreement.
    5. Click Login and install.
    6. Restart Splunk Light. The app shows as enabled.

Configure Identity and Access Management (IAM) policies for data collection

You have three options to configure the IAM policies required for data collection:

  • EC2 Role (more secure): Attach an EC2 role to the Splunk App for AWS.
  • IAM AssumeRole (more secure): Grant a primary AWS account to collect data from multiple sub-accounts using AssumeRole API.
  • IAM Access Key (less secure): Enter an AWS user Secret Key ID and Secret Key as a new account in the Splunk App for AWS.

Configuring EC2 Roles is the preferred option for organizations that have tight security controls and do not give out access keys.

Configure an EC2 Role

  1. Create an IAM policy for your EC2 instance. See Creating Policies on the JSON Tab on the AWS website. Ensure this policy has all of the required permissions specified in Configure AWS permissions for the Splunk Add-on for AWS. If this policy does not include permissions required for all inputs, you need to configure an AWS account that includes permissions for inputs that are not included in this policy.
  2. Create an IAM Role for your IAM policy. See Creating an IAM Role on the AWS website.
  3. Attach the IAM Role to the EC2 instance running Splunk Light. See Attaching an IAM Role to an Instance on the AWS website.
  4. In Splunk Light, from the sidebar menu, select Data > Apps and Add-ons.
  5. In the Splunk Add-on for AWS window, click Open.
  6. Under the Data section on the right side of the window, click Add Data.
  7. From the top bar menu, click Configuration.
  8. Select the Account tab.
  9. Confirm that the IAM role appears as an Autodiscovered IAM Role.

Configure an IAM AssumeRole

  1. Create an IAM policy for your EC2 instance. See Creating Policies on the JSON Tab on the AWS website. Ensure this policy has all of the required permissions specified in Configure AWS permissions for the Splunk Add-on for AWS. If this policy does not include permissions required for all inputs, you need to configure an AWS account that includes permissions for inputs that are not included in this policy.
  2. Create an IAM AssumeRole for your IAM policy. See Creating an IAM Role (Console) on the AWS website.
  3. Attach the IAM AssumeRole to the EC2 instance running Splunk Light. See Attaching an IAM Role to an Instance on the AWS website.
  4. In Splunk Light, from the sidebar menu, select Data > Apps and Add-ons.
  5. In the Splunk Add-on for AWS window, click Open.
  6. Under the Data section on the right side of the window, click Add Data.
  7. From the top bar menu, click Configuration.
  8. Select the Account tab.
  9. Confirm that the IAM AssumeRole appears as an Autodiscovered IAM Role.

Configure an IAM Access Key

  1. In Splunk Light, from the sidebar menu, select Data > Apps and Add-ons.
  2. In the Splunk Add-on for AWS window, click Open.
  3. Under the Data section on the right side of the window, click Add Data.
  4. From the top bar menu, click Configuration.
  5. Select the Account tab.
  6. Click Add.
    1. Enter a Name for the AWS account. You cannot change the Name once you add the account.
    2. Enter the credentials (Key ID and Secret Key) for an account that the Splunk App for AWS uses to access your AWS data. The account you configure here must have adequate permissions to access the AWS data that you want to collect. See Configure AWS permissions for the Splunk Add-on for AWS for more information.
    3. Select the Region Category for the account. The most common is Global.
  7. Click Add.

Configure inputs

To take full advantage of the dashboards, reports, and alerts, configure all the data sources.

See Configure inputs for the Splunk Add-on for AWS for information about configuring data sources.

  1. In Splunk Light, from the sidebar menu, select Data > Apps and Add-ons.
  2. In the Splunk Add-on for AWS window, click Open.
  3. Under the Data section on the right side of the window, click Add Data.
  4. From the top bar menu, click Inputs.
  5. Click Create New Input.
  6. Select the Data Type and Input Type for the data source that you want to add. For information about a specific data source, click the Learn more link in the AWS Input Configuration window.

Next steps

See the following for information about the tools available in the Splunk App for AWS to analyze your AWS data.

PREVIOUS
Troubleshooting the Splunk Insights for AWS Cloud Monitoring AMI
 

This documentation applies to the following versions of Splunk® Light: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters