All Apps and Add-ons

How to configure Splunk to use a KMS key to decrypt s3 logs via the Splunk Add-on for AWS?

Glasses
Builder

I was able to successfully read logs from an s3 bucket, with Splunk using AWS add-on configured with an account with a KeyID and Secret Key.

Recently the logs were encrypted via KMS. Now the logs are coming in garbled - because splunk cannot decrpyt.

I am unable to find clear documentation/steps to install the KMS key for splunk to decrypt the logs.

Any direction appreciated.

Thank you!

dbarrpsu
Explorer

The IAM user/group or role you're using for collection needs permissions to decrypt using the key, specifically the "kms:Decrypt" action. This can be scoped to just the KMS key used on the bucket you're collecting from. An example policy document:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "kms:Decrypt",
        "Resource": "ARN-OF-KMS-KEY"
      }
    ]
}
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...