Anyone primarily using Splunk to monitor AWS from a security perspective? If so, how are you doing it? Splunk Enterprise Security? Splunk AWS app? Splunk Security Essentials App? Splunk Enterprise - Custom dashboards/reports? Other add-on's/Apps? Other outside tools? Is Splunk alone enough?
Please let me know what you’re using and if you could go into detail that would be awesome!
A little bit of all of the above!
The Splunk AWS app is great - it gives a very detailed view into your AWS environment, and provides some very detailed security focused dashboards to show you what security relevant actions are being taken on your account.
The AWS add-in is (as you would expect) fully CIM compliant which means all of your event data is immediately available to premium apps such as ES and ITSI should you have them. ES (and the ES updates) include a number of correlation searches which can leverage the AWS data to trigger notables along with any of your other security data sources, but there is huge value just in the AWS app!
Is Splunk alone enough? - Quite probably, it depends on your exact use case, but if you can think of a use case the app does not support out of the box, its relatively simple to add your own alerts/dashboards to cover it.
Nick, thanks for your detailed reply. What are some of the things you are monitoring? Here is a short list of what I was able to find/monitor in Splunk, but I feel like I couldn't find some items in Splunk I needed to monitor (i.e. Seeing if all s3 buckets were encrypted):
I've also referenced the following but some of the items are best practices VS monitoring: https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
As @nickhillscpl said, The Splunk Enterprise Security Content Updates App has some great use cases around cross-account activity, cryptomining, user activity, provisioning activity, NACL etc. Here is the link: https://splunkbase.splunk.com/app/3449/
we have monitoring in place for 1, 3, 5 and the last bullet in your list and we based our searches around https://www.cisecurity.org/controls/ - Top 20 controls.
As @nickhillscpl says, it would depend on your case and hardening in your network/environment/SOC etc..