Currently my Splunk index only has aws:config:rule and aws:config:notification events. There are no aws:config snapshot events, so the topology feature doesn't work. I have set up the old Config input that takes in an SQS per region. Every Config service in every other account has its delivery channel send to a central SNS in the same region, which then sends to the SQS that Splunk queries.
The dev manager of the AWS app said
The initial inventory get populated by
triggering a AWS Config Snapshot. When
you add a Config input, the snapshot
will be triggered automatically,
unless your IAM user don't have such
permission.
(see https://answers.splunk.com/answers/337327/splunk-app-for-aws-will-my-current-configuration-f.html answer).
My IAM user has the proper permission (config:DeliverConfigSnapshot). But no snapshot was triggered or imported. I even manually triggered a Config snapshot via the CLI as recommended in https://answers.splunk.com/answers/378001/aws-app-description-vs-config.html, but that did not do anything.
For context, I also have some Config Rule inputs set up beforehand that I did not touch during this whole process.
Thoughts on how I can get my Splunk app to populate with aws:config events??
