Docs » Connect to your cloud service provider » Connect to AWS and send data to Splunk Observability Cloud » Connect to AWS using the guided setup in Splunk Observability Cloud

Connect to AWS using the guided setup in Splunk Observability Cloud 🔗

If you have administrator privileges for Splunk Observability Cloud and your Amazon Web Services (AWS) account, you can use guided setup to do the following:

  • Connect AWS to Observability Cloud.

  • Configure metrics and logs collection.

For other ways to connect Observability Cloud to AWS, see Connect to AWS and send data to Splunk Observability Cloud.

Access the guided setup for AWS integration 🔗

To access the guided setup for AWS integration, perform the following steps:

  1. Log in to Splunk Observability Cloud.

  2. Select Data Setup from the navigation menu.

  3. In the Connect Your Data page, select the tile for Amazon Web Services.

  4. Follow the steps provided in the guided setup.

  5. For the authentication step of establishing a connection between your AWS account and Splunk Observability Cloud, do one of the following:

    • In most AWS regions, use the Identity and Access Management (IAM) policy created through the guided setup.

    • For the GovCloud or China regions, select the option to authenticate using a secure token.


While choosing data sources, you might encounter an option to import all data from built-in CloudWatch namespaces. In such a case, select that option to ensure that out-of-the-box dashboards display automatically.

If you run into a problem, guided setup displays an error message in context at the step with the problem. The error message summarizes and suggests a fix for that problem. If more error detail is available, you can click on the error summary to expand and display additional details.

See also Getting data in for AWS CloudWatch on the Splunk YouTube channel for an instructional video that describes how to get AWS CloudWatch data into Splunk Observability Cloud.

Create an AWS IAM policy 🔗

The AWS IAM policy is a JSON object to which Observability Cloud refers for permission to collect data from every supported AWS service.

If this is the first time you have connected Observability Cloud to Amazon CloudWatch, or if you want to create a new AWS IAM policy, follow these steps. If you have already installed at least one AWS integration and want to reuse the same IAM policy, skip to the Create an AWS IAM role section.

  1. Log into your Amazon Web Services account.

  2. From the Services list, select IAM to open Identity and Access Management.

  3. Click Policies > Create Policy.

  4. Click the JSON tab.

  5. Delete the text shown under the JSON tab so that you can replace it with the code stanza shown below and also in the “Prepare AWS Account” step of the guided setup.

  6. Select Review policy.

  7. Give the policy a name and, optionally, a description.

  8. Select Create policy.

While preparing your AWS account, guided setup prompts you to copy the default IAM policy to connect your AWS account to Splunk Observability Cloud.


The default IAM policy supports metrics and logs collection. To add support for CloudWatch Metric Streams, add the permissions shown in the “Enable CloudWatch Metric Streams” section.

Create an AWS IAM role 🔗

Your AWS account includes IAM in its list of services. After creating an AWS IAM policy, you assign that policy to a particular role by performing the following steps at the Amazon Web Services console:

  1. Select Roles > Create Role.

  2. Select Another AWS account as the type of trusted entity.

  3. Copy and paste the Account ID displayed in guided setup into the Account ID field.

  4. Select Require external ID.

  5. Copy and paste the External ID displayed in guided setup into the External ID field.

  6. Click Next: Permissions.

  7. Under Policy name, select the policy you made in the previous step.

  8. Click through Next: Tags and Next: Review.

  9. Name your new AWS IAM role. You also have the option of adding a short description for it.

  10. Click Create role.

Creating the AWS IAM role generates the Role ARN used to establish connection with AWS, after you attach the permissions policy to the role.

Revise default AWS integration settings 🔗

After creating an AWS IAM policy and assigning it to a particular role through the guided setup, you can modify your configuration as follows:

  • Limit the scope of data collection in either of the following ways: - Use checkbox options in the guided setup to limit the scope of your data collection. - Use the AWS console to revise the contents of the Action and Resource fields.

  • Add permissions for CloudWatch Metric Streams to your IAM policy.

  • Select a CloudFormation template to collect logs for each AWS region that you want to operate in.

Enable CloudWatch Metric Streams 🔗

CloudWatch settings gather metrics at the polling interval you specify, with one minute as the minimum unit. The API metric polling rate is expressed in seconds. For example, a value of 300 polls metrics once every 5 minutes.

You can enable CloudWatch Metric Streams rather than metrics gathered through API polling if you connect to AWS through the Splunk Observability API. See Enable CloudWatch Metric Streams through the API for details.

Choose a CloudFormation template 🔗

You choose a CloudFormation template depending on your deployment method (for example, per AWS region or per AWS account) and integration type (for example, logs only, metric streams only, or both).

Even if you don’t intend to use both logs and metrics functions, you can safely deploy a CloudFormation template, because unused infrastructure does not generate costs.

From the CloudFormation templates table, select the QuickLink for a template with support for metric streams or logs. The QuickLink automatically opens the AWS Management Console in the last region that you used, but you can optionally select another region in the AWS Management Console.

If the prepopulated CloudFormation template does not meet your needs, create required resources using CloudFormation manually by following these steps:

  1. Select the Hosted template link to download and modify the template you choose.

  2. In the Quick Create stack dialog box for the selected template, enter the access token for your organization.

  3. Select Create stack.

  4. Use an API call to enable CloudWatch Metric Streams. See Enable CloudWatch Metric Streams through the API

You can optionally use AWS CloudFormation StackSets to work simultaneously across multiple AWS regions after configuring the StackSet prerequisites for self-managed permissions. See Amazon Web Services documentation for configuring StackSet prerequisites at

CloudFormation templates

Supports Log collection

Supports Metric Streams

Deployment type


Hosted template link



once per account (using StackSets)

deploy this



in each region

deploy this in every region



once per account (using StackSets)

deploy this



in each region

deploy this in every region



once per account (using StackSets)

deploy this



in each region

deploy this in every region

After you connect Splunk Observability Cloud with AWS, you can use Observability Cloud to track a series of metrics and analyze your AWS data in real time. See AWS metrics for a list of the available AWS resources.