Would any of our AWS experts be able to assist wit...

paimonsoror · ‎10-23-2018

Hi Folks; Hoping that some of our AWS experts can help with this. Basically I have set up Splunk running in EC2 within our splunk aws account for our company. Now that we have proven out that the data is good, and folks are motivated, the next step here is to start pulling that same data from all other accounts in our space.

Right now i have a single role called SplunkEC2Role that has 2 policies (one for the addon, one for SAI). That role is bound to Splunk EC2 instance within my account. That role was auto-discovered in the add-on, and i created inputs using that role.

My expertise ends here. But I assume that I will need to create a Role with an STS policy with a wildcarded account resource?

joeydenbroeder · ‎12-27-2018

What we've done is two things:

Create an IAM Role with the appropriate permissions in each AWS Account, specifically for Splunk.
Attach an IAM Policy to the EC2 IAM Role (in your case SplunkEC2Role) which allows sts:AssumeRole for those IAM Roles.

The documentation is pretty good on this subject: https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions

Would any of our AWS experts be able to assist with out to set up a role for cross account data ingestion?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7