Use Cross-Account IAM role with Splunk Add-on for ...

abow · ‎10-07-2024

I am working to integrate Splunk with AWS to ingest CloudTrail logs. Looking at the documentation for the Splunk Add-on for AWS, under steps 3, 4, and 8 it says to create an IAM user, an access key, and then to input the key ID and secret ID into the Splunk Add-on:

https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Admin/AWSGDI#Step_3:_Create_a_Splunk_Acce...

Can we instead leverage a cross-account IAM role with an external ID for this purpose? We try to limit IAM user creation in our environment and this also creates additional management overhead, such as needing to regularly rotate the IAM user access key credentials. Leveraging a cross-account IAM role that can be assumed by Splunk Cloud is a much simpler (and more secure) implementation.

Thanks!

Meett · ‎10-07-2024

Hello @abow Can you check this article : https://splunk.my.site.com/customer/s/article/How-to-make-Splunk-Add-on-for-AWS-to-fetch-data-via-cr... ? hope fully it will resolve you queries.

abow · ‎10-08-2024

Hi @Meett! Thanks sharing the article, this looks closer to what I'm looking to achieve.

Looking closer at this article, it still seems to reference an IAM user/access key ID for “Account A” in the example. This is what I would like to avoid if possible.

Is there any way for me to configure the trust policy on my AWS IAM role in my AWS account so that a Splunk-managed AWS IAM role in Splunk's account can be granted cross-account access to assume our role? Using sts:AssumeRole? Thanks!

Meett · ‎10-08-2024

Hey @abow i don’t think that can work.

Use Cross-Account IAM role with Splunk Add-on for AWS

configuration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?