We have our dedicated Splunk Environment setup on AWS with Indexer and Search Head Clustering.
- Splunk App for AWS is installed on Splunk Search Head Cluster
- Splunk Add-on for Amazon Web Services is installed on a dedicated single instance server (Heavy Forwarder)
All our Splunk servers on AWS Cloud do NOT have connectivity to Internet.
They have only Private IPs - dedicated VPC/Subnet.
We are unable to configure AWS Add-On CloudTrail Input.
The SQS Queue are not getting populated on the drop-down.
What I doubt is, since we do not have connectivity to internet, the Heavy Forwarder is unable to connect to AWS API and get the required queue details, etc.
We do not want to open our AWS servers to the Internet.
For now, we have configured the AWS add-on on our on-prem Heavy Forwarder and pushing data to Indexers on AWS.
We are worrying about unnecessary data transfer between AWS API->On-Prem HF->AWS Indexers.