×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
abow
Explorer
Member since: ‎10-07-2024
‎03-11-2025
Community Statistics
Posts 4
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎10-07-2024
View All

Re: Use Cross-Account IAM role with Splunk Add-on ...

by in All Apps and Add-ons
‎03-03-2025 11:59 AM
‎03-03-2025 11:59 AM
Hi @robj, thanks for the suggestion! That sounds like a solid option. Do you also have your heavy forwarder deployed in AWS? We ended up using the Splunk Data Manager app to ingest AWS CloudTrail logs from an AWS S3 bucket using a cross-account IAM role that can be assumed by Splunk Cloud. Splunk Data Manager documentation: https://docs.splunk.com/Documentation/DM/1.12.0/User/About Configure AWS for onboarding from a single account: https://docs.splunk.com/Documentation/DM/1.12.0/User/AWSSingleAccount You can use the above implementation to either ingest CloudTrail logs from a single AWS account or from your centralized logging account in an AWS Organization or Control Tower environment. ... View more

Re: Use Cross-Account IAM role with Splunk Add-on ...

by in All Apps and Add-ons
‎03-03-2025 11:29 AM
1 Karma
‎03-03-2025 11:29 AM
1 Karma
Hi @Meett, just wanted to update on this old thread, we ended up using the Splunk Data Manager app to ingest AWS CloudTrail logs from an AWS S3 bucket using a cross-account IAM role that can be assumed by Splunk Cloud. Splunk Data Manager documentation: https://docs.splunk.com/Documentation/DM/1.12.0/User/About Configure AWS for onboarding from a single account: https://docs.splunk.com/Documentation/DM/1.12.0/User/AWSSingleAccount You can use the above implementation to either ingest CloudTrail logs from a single AWS account or from your centralized logging account in an AWS Organization or Control Tower environment. ... View more

Re: Use Cross-Account IAM role with Splunk Add-on ...

by in All Apps and Add-ons
‎10-08-2024 08:43 AM
‎10-08-2024 08:43 AM
Hi @Meett! Thanks sharing the article, this looks closer to what I'm looking to achieve. Looking closer at this article, it still seems to reference an IAM user/access key ID for “Account A” in the example. This is what I would like to avoid if possible. Is there any way for me to configure the trust policy on my AWS IAM role in my AWS account so that a Splunk-managed AWS IAM role in Splunk's account can be granted cross-account access to assume our role? Using sts:AssumeRole? Thanks! ... View more

Use Cross-Account IAM role with Splunk Add-on for ...

by in All Apps and Add-ons
‎10-07-2024 12:19 PM
‎10-07-2024 12:19 PM
I am working to integrate Splunk with AWS to ingest CloudTrail logs. Looking at the documentation for the Splunk Add-on for AWS, under steps 3, 4, and 8 it says to create an IAM user, an access key, and then to input the key ID and secret ID into the Splunk Add-on: https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Admin/AWSGDI#Step_3:_Create_a_Splunk_Access_user Can we instead leverage a cross-account IAM role with an external ID for this purpose? We try to limit IAM user creation in our environment and this also creates additional management overhead, such as needing to regularly rotate the IAM user access key credentials. Leveraging a cross-account IAM role that can be assumed by Splunk Cloud is a much simpler (and more secure) implementation. Thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-11-2025 05:58 PM
Karma from
View All
Karma given to
View All