All Apps and Add-ons

Would any of our AWS experts be able to assist with out to set up a role for cross account data ingestion?

paimonsoror
Builder

Hi Folks; Hoping that some of our AWS experts can help with this. Basically I have set up Splunk running in EC2 within our splunk aws account for our company. Now that we have proven out that the data is good, and folks are motivated, the next step here is to start pulling that same data from all other accounts in our space.

Right now i have a single role called SplunkEC2Role that has 2 policies (one for the addon, one for SAI). That role is bound to Splunk EC2 instance within my account. That role was auto-discovered in the add-on, and i created inputs using that role.

My expertise ends here. But I assume that I will need to create a Role with an STS policy with a wildcarded account resource?

0 Karma

joeydenbroeder
Explorer

What we've done is two things:

  1. Create an IAM Role with the appropriate permissions in each AWS Account, specifically for Splunk.
  2. Attach an IAM Policy to the EC2 IAM Role (in your case SplunkEC2Role) which allows sts:AssumeRole for those IAM Roles.

The documentation is pretty good on this subject: https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...