All Apps and Add-ons

AWS Config snapshots missing

Explorer

Currently my Splunk index only has aws:config:rule and aws:config:notification events. There are no aws:config snapshot events, so the topology feature doesn't work. I have set up the old Config input that takes in an SQS per region. Every Config service in every other account has its delivery channel send to a central SNS in the same region, which then sends to the SQS that Splunk queries.

The dev manager of the AWS app said

The initial inventory get populated by
triggering a AWS Config Snapshot. When
you add a Config input, the snapshot
will be triggered automatically,
unless your IAM user don't have such
permission.

(see https://answers.splunk.com/answers/337327/splunk-app-for-aws-will-my-current-configuration-f.html answer).

My IAM user has the proper permission (config:DeliverConfigSnapshot). But no snapshot was triggered or imported. I even manually triggered a Config snapshot via the CLI as recommended in https://answers.splunk.com/answers/378001/aws-app-description-vs-config.html, but that did not do anything.

For context, I also have some Config Rule inputs set up beforehand that I did not touch during this whole process.

Thoughts on how I can get my Splunk app to populate with aws:config events??

0 Karma

Explorer

Update: gave up on this, manually imported Config snapshots with HEC.

0 Karma