Hi,
I am working on Splunk-Addon for AWS setup, with an objective to centralize data from all AWS accounts and I have problem centralizing data for sourcetype=aws:description,
Issue description:
Unable to fetch aws:description data from all AWS accounts using "Assumed Role", the current details of the setup are shown below.
Details of the setup:
Each AWS workload account:
setup an IAM role in each AWS account that covers policy "Configure one policy containing permissions for all inputs"
arn:aws:iam::xxxxxxxx1:role/TestLogging
arn:aws:iam::xxxxxxxx2:role/TestLogging
Central Logging AWS account:
Created an IAM role (e.g.CTLRole) and provisioned to use the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:iam::xxxxxxxx1:role/TestLogging",
"arn:aws:iam::xxxxxxxx1:role/TestLogging "],
"Action": "sts:AssumeRole"
}
]
}
Splunk Add-on:
Added ARN of CTLrole in "IAM Role" section, e.g. arn:aws:iam::xxxxxxcentralaccount:role/CTLrole
Added an Aws account, an IAM user account created in Central Logging AWS account, and configured access and security keys.
Configured aws:description input to use this account and Assume CTLrole.
testing shows Splunk-Add on not able to pull this data, it is however working if I add aws:description for individual account, but the objective here is to avoid creating individual IAM user for each account and configure aws:description for each account.
Looking for some guidance on this.