All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the proper configuration for AWS SQS/SNS in a consolidated account environment?

larry_youngquis
New Member
‎02-16-2015 08:48 AM

We have multiple sub-accounts that aggregate their cloudtrail data into a single S3 bucket stored at the master account level.

What, if any, SQS and SNS configurations need to be done at the sub-account level? Or, is it only defined for the master account?

0 Karma
Reply

scpack
New Member
‎04-29-2016 03:49 PM

Hey Larry,

I doing this same thing, Aggregating CloudTrail for ingest via S3. Rather than using the CloudTrail input type with the SQS queue name I'm using the S3 input on the bucket. Simplifies deployment a lot, but you have to keep in mind that the events will only be as up to date as your S3 polling interval.

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-16-2015 09:28 AM

You'll need a modular input instance per queue. I don't think the bucket aggregation will matter, though it might make permissions more entertaining.

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎05-09-2015 05:06 PM

This answer was assuming that you would manually aggregate several CloudTrail accounts so that you get a separate XML file from each account's events. However, if you've linked the accounts to each other you'll actually get a single XML file per period with multiple accounts and multiple events in it. Add-on for AWS version 1.1.1 was just posted Thursday and supports this scenario.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...