Dear Splunk community members,
I want to configure the Splunk App for AWS for multi-tenancy. For a new customer AWS account, I
- created a dedicated index for this customer
- configured cloudtrail and config inputs (SQS based S3) as well as description and cloudwatch inputs to write their data into the new index
- created a new user and role in Splunk that can only access the new index
Since this Splunk cluster is only used for AWS App, I removed the index filters from several search macros mentioned here:
https://docs.splunk.com/Documentation/AWS/5.1.1/Installation/Useacustomindex
Then I could execute the Addon Metadata searches of the addon. After that, I could use most functionality with the new user and what I see is indeed restricted to that specific account.
However, I failed to get the topology view. From what I analyzed there are several specific indices for the topology handling (aws_topology_history, aws_topology_daily_snapshot, aws_topology_monthly_snapshot, aws_topology_playback). I do not want to give the user access to these indices because then he could also see data/topologies about other clients.
Do you have any ideas or advice how I can have multi-tenancy and still provide the users access to their topology?
Any help with that is greatly appreciated!
Brgds and thanks
Steffen
