Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for AWS: Getting Cloudtrail logs from another account

acclaypool1
Explorer
‎07-08-2015 02:25 PM

I am trying to setup a design for our CloudTrail logging that drops all of our Account A CloudTrail logs in an Account B S3 bucket. The idea being that in the event of an unauthorized intrusion in Account A the logs are preserved in Account B.

AWS has the built-in functionality to do this but the ACLs on the actual JSON files aren't made to automatically match the bucket. So the bucket policies that I created to get Account A access to the bucket in Account B don't work due to ACLs on the JSON files.

Just curious if anyone has edited the Splunk App for AWS python code to perform additional actions. My idea would be to either edit the ACLs of the file prior to acquiring the JSON file or assume a role prior to accessing.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dolivasoh
Contributor
‎07-09-2015 09:12 PM

"Account A the logs are preserved in Account B." < If you simply added keys from both accounts to your config and configured CloudTrail inputs from both, this would preserve data from both accounts in Splunk. No real need to move anything between accounts here and if so, it's something you'd likely want to ask in an aws forum or chat.

View solution in original post

Reply
Solved! Jump to solution
Solution

dolivasoh
Contributor
‎07-09-2015 09:12 PM

"Account A the logs are preserved in Account B." < If you simply added keys from both accounts to your config and configured CloudTrail inputs from both, this would preserve data from both accounts in Splunk. No real need to move anything between accounts here and if so, it's something you'd likely want to ask in an aws forum or chat.

Reply
Solved! Jump to solution

acclaypool1
Explorer
‎07-10-2015 10:19 AM

Yeah, I was thinking about this wrong (skinning cats and what not). I ended up subscribing an SQS queue in Account B to the SNS topics in Account A. Then adding the keys from Account B to Splunk App from AWS. Thanks for the mental nudge!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...