Docs » Connect to your cloud service provider » Connect AWS to Splunk Observability Cloud » AWS authentication, permissions, and supported regions

AWS authentication, permissions, and supported regions 🔗

To connect your AWS services to Splunk Observability Cloud you need:

Authenticate in AWS using a security token 🔗

For the GovCloud or China regions, select the option to authenticate using a secure token, which combines an Access key ID and Secret access key you’ll create in your AWS Console.

When you’re creating the new permission for your user and are prompted for an access key practice, select Third-party service.

Required permissions 🔗


The list of permissions described in this section is updated frequently. If you connected your AWS services to Splunk Observability Cloud a while ago you might need to update them.

These are the required permissions to collect AWS data:

Required permissions in Splunk Observability Cloud 🔗

Regardless of the services you want to use, you need the following permissions:

  • organizations:DescribeOrganization. Only needed when Amazon cost and usage metrics are activated.

  • ec2:DescribeRegions

  • tag:GetResources

Permissions for the CloudWatch API 🔗

Besides the required permissions, include these permissions to allow Splunk Observability Cloud to collect AWS metrics using the CloudWatch API:

  • cloudwatch:GetMetricData

  • cloudwatch:ListMetrics

For example:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": "*"

Permissions for Splunk-managed Metric Streams 🔗


If you’re using AWS-managed Metric Streams these permissions are not required. For more information, see Connect Splunk Observability Cloud with AWS-managed Metric Streams.

If you’re using Splunk-managed Metric Streams to collect AWS CloudWatch metrics, you need the permissions required for Splunk Observability Cloud as well as these permissions:

  • "cloudwatch:DeleteMetricStream"

  • "cloudwatch:GetMetricStream"

  • "cloudwatch:ListMetricStreams"

  • "cloudwatch:ListMetrics"

  • "cloudwatch:PutMetricStream"

  • "cloudwatch:StartMetricStreams"

  • "cloudwatch:StopMetricStreams"

  • "iam:PassRole"

These permissions include the MetricStream phrase and the iam:PassRole permissions. Note the iam:PassRole permission is restricted to resources matching the arn:aws:iam::*:role/splunk-metric-streams* pattern.

For example:

"Version": "2012-10-17",
"Statement": [
    "Effect": "Allow",
    "Action": [
    "Resource": "*"
    "Effect": "Allow",
    "Action": [
    "Resource": "arn:aws:iam::*:role/splunk-metric-streams*"

Permissions for tag and properties collection 🔗

On top of the required permissions, you also need to include the specific permissions for the services you use in your AWS IAM policy to allow Splunk Observability Cloud to collect specific AWS tags and properties. You’ll be able to use Infrastructure Monitoring to filter metrics based on those tags and properties.

These are these permissions to allow Splunk Observability Cloud to collect AWS tags and properties:

  • "airflow:ListEnvironments"

  • "airflow:GetEnvironment"

  • "apigateway:GET"

  • "autoscaling:DescribeAutoScalingGroups"

  • "cloudformation:ListResources"

  • "cloudformation:GetResource"

  • "cloudfront:GetDistributionConfig"

  • "cloudfront:ListDistributions"

  • "cloudfront:ListTagsForResource"

  • "directconnect:DescribeConnections"

  • "dynamodb:DescribeTable"

  • "dynamodb:ListTables"

  • "dynamodb:ListTagsOfResource"

  • "ec2:DescribeInstances"

  • "ec2:DescribeInstanceStatus"

  • "ec2:DescribeNatGateways"

  • "ec2:DescribeRegions"

  • "ec2:DescribeReservedInstances"

  • "ec2:DescribeReservedInstancesModifications"

  • "ec2:DescribeTags"

  • "ec2:DescribeVolumes"

  • "ecs:DescribeClusters"

  • "ecs:DescribeServices"

  • "ecs:DescribeTasks"

  • "ecs:ListClusters"

  • "ecs:ListServices"

  • "ecs:ListTagsForResource"

  • "ecs:ListTaskDefinitions"

  • "ecs:ListTasks"

  • "elasticache:DescribeCacheClusters"

  • "elasticloadbalancing:DescribeLoadBalancerAttributes"

  • "elasticloadbalancing:DescribeLoadBalancers"

  • "elasticloadbalancing:DescribeTags"

  • "elasticloadbalancing:DescribeTargetGroups"

  • "elasticmapreduce:DescribeCluster"

  • "elasticmapreduce:ListClusters"

  • "es:DescribeElasticsearchDomain"

  • "es:ListDomainNames"

  • "kafka:DescribeClusterV2"

  • "kafka:ListClustersV2"

  • "kinesis:DescribeStream"

  • "kinesis:ListShards"

  • "kinesis:ListStreams"

  • "kinesis:ListTagsForStream"

  • “kinesisanalytics:DescribeApplication”

  • “kinesisanalytics:ListApplications”

  • "kinesisanalytics:ListTagsForResource"

  • "lambda:GetAlias"

  • "lambda:ListFunctions"

  • "lambda:ListTags"

  • "rds:DescribeDBClusters"

  • "rds:DescribeDBInstances"

  • "rds:ListTagsForResource"

  • "redshift:DescribeClusters"

  • "redshift:DescribeLoggingStatus"

  • "s3:GetBucketLocation"

  • "s3:GetBucketTagging"

  • "s3:ListAllMyBuckets"

  • "s3:ListBucket"

  • "states:ListActivities"

  • "states:ListStateMachines"

  • "sqs:GetQueueAttributes"

  • "sqs:ListQueues"

  • "sqs:ListQueueTags"

  • "tag:GetResources"

  • "workspaces:DescribeWorkspaces"


Cassandra permissions are declared as a separate object. See the example below.

Add the "<service>:<permission>" pair relevant to each service in the Action array of the AWS IAM policy JSON. For example:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": "*"
      "Effect": "Allow",
      "Action": [
      "Resource": [

Permissions for usage collection and reports 🔗

Include these permissions to allow Splunk Observability Cloud to collect AWS usage data and reports:

  • "ec2:DescribeRegions"

  • "organizations:DescribeOrganization"

Troubleshoot AWS permission issues 🔗

In case of any permission-related issue, review your AWS Organization Service Control Policy and the permission boundaries for your IAM entities. Both might impose some limits on the AWS policy Splunk Observability Cloud uses to connect to your AWS account.

Read more at the official AWS documentation:

Supported AWS regions 🔗

If you want to activate a specific optional region, you need to do it before adding it to the integration. Make sure you’ve activated the optional regions you’ll need in your AWS console first. Regular regions are activated in AWS by default.

  • If you’re using the UI guided setup to create the integration, you’ll be prompted to select which AWS regions you work with.

  • If you’re using the API and supply an empty list in an API call, Splunk Observability Cloud activates all regular regions. If you add the ec2:DescribeRegions permission to your AWS policy, optional regions you’ve activated on your AWS account are activated in Splunk Observability Cloud as well. Although empty regions list configuration is possible via the API, it is highly discouraged since it can lead to an unexpected cost increase whenever a new region is enabled on the AWS account.


When you edit an existing integration that was configured with an empty list of regions, the UI guided setup will automatically populate the regions list to include regions enabled on your AWS account if your policy contains ec2:DescribeRegions permission. Otherwise, it will populate the list with all regular AWS regions. If you previously created an integration using the UI guided setup and used the default all regions configuration, it also will get migrated accordingly. This migration will not impact what data we currently collect for any edited integrations.

Splunk Observability Cloud supports the following AWS regions:

Regular 🔗

  • ap-northeast-1: Asia Pacific (Tokyo)

  • ap-northeast-2: Asia Pacific (Seoul)

  • ap-northeast-3: Asia Pacific (Osaka)

  • ap-south-1: Asia Pacific (Mumbai)

  • ap-southeast-1: Asia Pacific (Singapore)

  • ap-southeast-2: Asia Pacific (Sydney)

  • ca-central-1: Canada (Central)

  • eu-central-1: Europe (Frankfurt)

  • eu-north-1: Europe (Stockholm)

  • eu-west-1: Europe (Ireland)

  • eu-west-2: Europe (London)

  • eu-west-3: Europe (Paris)

  • sa-east-1: South America (Sao Paulo)

  • us-east-1: US East (N. Virginia)

  • us-east-2: US East (Ohio)

  • us-west-1: US West (N. California)

  • us-west-2: US West (Oregon)

Optional 🔗

  • af-south-1: Africa (Cape Town)

  • ap-east-1: Asia Pacific (Hong Kong)

  • ap-south-2: Asia Pacific (Hyderabad)

  • ap-southeast-3: Asia Pacific (Jakarta)

  • ap-southeast-4: Asia Pacific (Melbourne)

  • eu-central-2: Europe (Zurich)

  • eu-south-1: Europe (Milan)

  • eu-south-2: Europe (Spain)

  • me-central-1: Middle East (UAE)

  • me-south-1: Middle East (Bahrain)

GovCloud 🔗

  • us-gov-east-1: AWS GovCloud (US-East)

  • us-gov-west-1: AWS GovCloud (US-West)

China 🔗

  • cn-north-1: China (Beijing)

  • cn-northwest-1: China (Ningxia)