All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use Cross-Account IAM role with Splunk Add-on for AWS

abow
Explorer
‎10-07-2024 12:19 PM

I am working to integrate Splunk with AWS to ingest CloudTrail logs. Looking at the documentation for the Splunk Add-on for AWS, under steps 3, 4, and 8 it says to create an IAM user, an access key, and then to input the key ID and secret ID into the Splunk Add-on:

https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Admin/AWSGDI#Step_3:_Create_a_Splunk_Acce...

Can we instead leverage a cross-account IAM role with an external ID for this purpose? We try to limit IAM user creation in our environment and this also creates additional management overhead, such as needing to regularly rotate the IAM user access key credentials. Leveraging a cross-account IAM role that can be assumed by Splunk Cloud is a much simpler (and more secure) implementation.

Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

abow
Explorer
‎03-03-2025 11:29 AM

Hi @Meett, just wanted to update on this old thread, we ended up using the Splunk Data Manager app to ingest AWS CloudTrail logs from an AWS S3 bucket using a cross-account IAM role that can be assumed by Splunk Cloud.

Splunk Data Manager documentation:

https://docs.splunk.com/Documentation/DM/1.12.0/User/About

Configure AWS for onboarding from a single account:

https://docs.splunk.com/Documentation/DM/1.12.0/User/AWSSingleAccount

You can use the above implementation to either ingest CloudTrail logs from a single AWS account or from your centralized logging account in an AWS Organization or Control Tower environment.

View solution in original post

Reply
Solved! Jump to solution

robj
Engager
‎02-28-2025 11:19 AM

I found that deploying a Splunk Heavy Forwarder and defining trust and permissions through an Instance Role to be effective for this.

Reply
Solved! Jump to solution

abow
Explorer
‎03-03-2025 11:59 AM

Hi @robj, thanks for the suggestion! That sounds like a solid option. Do you also have your heavy forwarder deployed in AWS?

We ended up using the Splunk Data Manager app to ingest AWS CloudTrail logs from an AWS S3 bucket using a cross-account IAM role that can be assumed by Splunk Cloud.

Splunk Data Manager documentation:

https://docs.splunk.com/Documentation/DM/1.12.0/User/About

Configure AWS for onboarding from a single account:

https://docs.splunk.com/Documentation/DM/1.12.0/User/AWSSingleAccount

You can use the above implementation to either ingest CloudTrail logs from a single AWS account or from your centralized logging account in an AWS Organization or Control Tower environment.

0 Karma
Reply
Solved! Jump to solution

Meett
Splunk Employee
Splunk Employee
‎10-07-2024 07:20 PM

Hello @abow Can you check this article : https://splunk.my.site.com/customer/s/article/How-to-make-Splunk-Add-on-for-AWS-to-fetch-data-via-cr... ? hope fully it will resolve you queries.

0 Karma
Reply
Solved! Jump to solution

abow
Explorer
‎10-08-2024 08:43 AM

Hi @Meett! Thanks sharing the article, this looks closer to what I'm looking to achieve.

Looking closer at this article, it still seems to reference an IAM user/access key ID for “Account A” in the example. This is what I would like to avoid if possible.

Is there any way for me to configure the trust policy on my AWS IAM role in my AWS account so that a Splunk-managed AWS IAM role in Splunk's account can be granted cross-account access to assume our role? Using sts:AssumeRole? Thanks!

0 Karma
Reply
Solved! Jump to solution

Meett
Splunk Employee
Splunk Employee
‎10-08-2024 08:21 PM

Hey @abow i don’t think that can work.

0 Karma
Reply
Solved! Jump to solution
Solution

abow
Explorer
‎03-03-2025 11:29 AM

Hi @Meett, just wanted to update on this old thread, we ended up using the Splunk Data Manager app to ingest AWS CloudTrail logs from an AWS S3 bucket using a cross-account IAM role that can be assumed by Splunk Cloud.

Splunk Data Manager documentation:

https://docs.splunk.com/Documentation/DM/1.12.0/User/About

Configure AWS for onboarding from a single account:

https://docs.splunk.com/Documentation/DM/1.12.0/User/AWSSingleAccount

You can use the above implementation to either ingest CloudTrail logs from a single AWS account or from your centralized logging account in an AWS Organization or Control Tower environment.

Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top