Having the exact same problem us-gov-west-1. It appears there is some separation when a govcloud account gets set up. Similar to when we request updates to our allowed instances it showed on the wrong side and took week+ to correct.

We are also trying to configure Splunk to gather cloudtrail logs from govcloud. It appears that it is not possible at this time. We have accounts in both the AWS general cloud and govcloud. Splunk gathers cloudtrail logs fine from the general cloud. But Splunk cannot gather cloudtrail logs from govcloud.

The issue appears to be that Splunk is attempting to log into into the general cloud for S3 and cannot find the S3 cloudtrail files for govcloud. All SQS data is correct and retrieved okay. But the aws_cloudtrail.py script fails to find the S3 file. You can see the error very easily by trying to configure a Splunk S3 input with the govcloud user:

Failed to fetch data: In handler 'splunk_ta_aws_s3buckets': Unexpected error "" from python handler: "S3ResponseError: 403 Forbidden InvalidAccessKeyIdThe AWS Access Key Id you provided does not exist in our records.AAAAAAAAAAAAAAAAAAAA8888888888888WWWWWWWWWWWWWW=". See splunkd.log for more details.

This same splunk AWS users works fine when configuring a cloudtrail input and can even find the correct SQS queue. It just fails when it trys to find the S3 file.

Does anyone know how to configure the Splunk AWS add-on to access S3 data in the govcloud region? It seems the Splunk AWS user should have a flag to set if this is a govcloud user.

did you get a chance to look at Splunk Apps for AWS. You can download it from https://apps.splunk.com/app/1274/