All Apps and Add-ons

Would any of our AWS experts be able to assist with out to set up a role for cross account data ingestion?


Hi Folks; Hoping that some of our AWS experts can help with this. Basically I have set up Splunk running in EC2 within our splunk aws account for our company. Now that we have proven out that the data is good, and folks are motivated, the next step here is to start pulling that same data from all other accounts in our space.

Right now i have a single role called SplunkEC2Role that has 2 policies (one for the addon, one for SAI). That role is bound to Splunk EC2 instance within my account. That role was auto-discovered in the add-on, and i created inputs using that role.

My expertise ends here. But I assume that I will need to create a Role with an STS policy with a wildcarded account resource?

0 Karma


What we've done is two things:

  1. Create an IAM Role with the appropriate permissions in each AWS Account, specifically for Splunk.
  2. Attach an IAM Policy to the EC2 IAM Role (in your case SplunkEC2Role) which allows sts:AssumeRole for those IAM Roles.

The documentation is pretty good on this subject:

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...