All Apps and Add-ons

Splunk App for AWS: using one index per client (multi-tenancy)

steffenmazanek
New Member

Dear Splunk community members,

I want to configure the Splunk App for AWS for multi-tenancy. For a new customer AWS account, I
- created a dedicated index for this customer
- configured cloudtrail and config inputs (SQS based S3) as well as description and cloudwatch inputs to write their data into the new index
- created a new user and role in Splunk that can only access the new index

Since this Splunk cluster is only used for AWS App, I removed the index filters from several search macros mentioned here:
https://docs.splunk.com/Documentation/AWS/5.1.1/Installation/Useacustomindex
Then I could execute the Addon Metadata searches of the addon. After that, I could use most functionality with the new user and what I see is indeed restricted to that specific account.
However, I failed to get the topology view. From what I analyzed there are several specific indices for the topology handling (aws_topology_history, aws_topology_daily_snapshot, aws_topology_monthly_snapshot, aws_topology_playback). I do not want to give the user access to these indices because then he could also see data/topologies about other clients.

Do you have any ideas or advice how I can have multi-tenancy and still provide the users access to their topology?

Any help with that is greatly appreciated!

Brgds and thanks
Steffen

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...