All Apps and Add-ons

Splunk Add-On for AWS - AssumeRole issue when listing SQS queues

aknsun
Path Finder

Hi,

I have the following issue and would like the experts to advise, especially the AWS Add-On expert - @amiracle

Here is the current situation.

We have only used the specific permission as defined in the document under "Configure CloudTrail permissions" and not the All-in-one. We are also using the the Account via the keys and not EC2Role.

I'm trying to work with 2 accounts to start with. Let's call them A (which I'm part of) & B.

I currently have Cloudtrail data being written to an S3 bucket in Account A. I have configured an SQS-based S3 input and can ingest data into Splunk without any issues as all these services are in my Account A.

We now would like to access the Cloudtrail Data in Account B. The team that supports AWS in our company has defined the AssumeRole and it's has permissions defined for the S3 bucket in Account B that has the Cloudtrail data. However when I try to configure the Account to use the AssumRole in the Inputs for SQS-based S3, it gives an error that Access is Denied when calling the ListQueues operation. This is definitely due to SQS permission not being defined in the AssumeRole policy.

I would like to know the following, as the the AWS Add-On tries to do a list of the SQS queues when you add an SQS-based S3 Input.

  1. Does the Add-On require ListQueues permission on every account that we configure the input and try to AssumeRole on?
  2. Do we need SQS queues in each account for the SQS-based S3 inputs we define?

Thanks,
AKN

Tags (1)
0 Karma
1 Solution

jawaharas
Motivator
  1. Does the Add-On require ListQueues permission on every account that we configure the input and try to AssumeRole on?
    Answer: Yes.

  2. Do we need SQS queues in each account for the SQS-based S3 inputs we define?
    Answer: I believe log events from various AWS account's S3 bucket can be feed into a single SQS queue with right configuration. And point your Splunk input to that SQS queue (which has log events from all the accounts). Otherwise, create seperate SQS queue for each account and create individual Splunk inputs.

View solution in original post

jawaharas
Motivator
  1. Does the Add-On require ListQueues permission on every account that we configure the input and try to AssumeRole on?
    Answer: Yes.

  2. Do we need SQS queues in each account for the SQS-based S3 inputs we define?
    Answer: I believe log events from various AWS account's S3 bucket can be feed into a single SQS queue with right configuration. And point your Splunk input to that SQS queue (which has log events from all the accounts). Otherwise, create seperate SQS queue for each account and create individual Splunk inputs.

View solution in original post

jawaharas
Motivator

@aknsun

Can you accept the answer if it's helped you? Thanks.

0 Karma

aknsun
Path Finder

Adding to this. If I get Account B to give ListQueues permission, I just basically get the list of SQS queues in that account. The Input doesn't allow to input the ARN for my SQS queue (Account A).

Does this mean that for every SQS-based S3 input that we create for another account, we need to be using an SQS queue in their account?

Thanks,
AKN

0 Karma