All Apps and Add-ons

AWS Config snapshots missing


Currently my Splunk index only has aws:config:rule and aws:config:notification events. There are no aws:config snapshot events, so the topology feature doesn't work. I have set up the old Config input that takes in an SQS per region. Every Config service in every other account has its delivery channel send to a central SNS in the same region, which then sends to the SQS that Splunk queries.

The dev manager of the AWS app said

The initial inventory get populated by
triggering a AWS Config Snapshot. When
you add a Config input, the snapshot
will be triggered automatically,
unless your IAM user don't have such

(see answer).

My IAM user has the proper permission (config:DeliverConfigSnapshot). But no snapshot was triggered or imported. I even manually triggered a Config snapshot via the CLI as recommended in, but that did not do anything.

For context, I also have some Config Rule inputs set up beforehand that I did not touch during this whole process.

Thoughts on how I can get my Splunk app to populate with aws:config events??

0 Karma


Update: gave up on this, manually imported Config snapshots with HEC.

0 Karma