We have a very simple AWS GovCloud environment which is accessed by two members of our company. Last week we jumped at the anouncment that GovCloud had finally implemented support for CloudTrail. We are now logging GovCloud API calls to our GovCloud S3.
We need help configuring Splunk to access and parse our GovCloud CloudTrail logs.
Thanks for any help you can provide.
Michael Schimpf Advanced Survey Design
Having the exact same problem us-gov-west-1. It appears there is some separation when a govcloud account gets set up. Similar to when we request updates to our allowed instances it showed on the wrong side and took week+ to correct.
We are also trying to configure Splunk to gather cloudtrail logs from govcloud. It appears that it is not possible at this time. We have accounts in both the AWS general cloud and govcloud. Splunk gathers cloudtrail logs fine from the general cloud. But Splunk cannot gather cloudtrail logs from govcloud.
The issue appears to be that Splunk is attempting to log into into the general cloud for S3 and cannot find the S3 cloudtrail files for govcloud. All SQS data is correct and retrieved okay. But the aws_cloudtrail.py script fails to find the S3 file. You can see the error very easily by trying to configure a Splunk S3 input with the govcloud user:
Failed to fetch data: In handler 'splunk_ta_aws_s3buckets': Unexpected error "" from python handler: "S3ResponseError: 403 Forbidden
InvalidAccessKeyIdThe AWS Access Key Id you provided does not exist in our records.AAAAAAAAAAAAAAAAAAAA8888888888888WWWWWWWWWWWWWW=". See splunkd.log for more details.
This same splunk AWS users works fine when configuring a cloudtrail input and can even find the correct SQS queue. It just fails when it trys to find the S3 file.
Does anyone know how to configure the Splunk AWS add-on to access S3 data in the govcloud region? It seems the Splunk AWS user should have a flag to set if this is a govcloud user.