All Apps and Add-ons

Would any of our AWS experts be able to assist with out to set up a role for cross account data ingestion?

paimonsoror
Builder

Hi Folks; Hoping that some of our AWS experts can help with this. Basically I have set up Splunk running in EC2 within our splunk aws account for our company. Now that we have proven out that the data is good, and folks are motivated, the next step here is to start pulling that same data from all other accounts in our space.

Right now i have a single role called SplunkEC2Role that has 2 policies (one for the addon, one for SAI). That role is bound to Splunk EC2 instance within my account. That role was auto-discovered in the add-on, and i created inputs using that role.

My expertise ends here. But I assume that I will need to create a Role with an STS policy with a wildcarded account resource?

0 Karma

joeydenbroeder
Explorer

What we've done is two things:

  1. Create an IAM Role with the appropriate permissions in each AWS Account, specifically for Splunk.
  2. Attach an IAM Policy to the EC2 IAM Role (in your case SplunkEC2Role) which allows sts:AssumeRole for those IAM Roles.

The documentation is pretty good on this subject: https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions

0 Karma