Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for AWS: Getting Cloudtrail logs from another account

acclaypool1
Explorer
‎07-08-2015 02:25 PM

I am trying to setup a design for our CloudTrail logging that drops all of our Account A CloudTrail logs in an Account B S3 bucket. The idea being that in the event of an unauthorized intrusion in Account A the logs are preserved in Account B.

AWS has the built-in functionality to do this but the ACLs on the actual JSON files aren't made to automatically match the bucket. So the bucket policies that I created to get Account A access to the bucket in Account B don't work due to ACLs on the JSON files.

Just curious if anyone has edited the Splunk App for AWS python code to perform additional actions. My idea would be to either edit the ACLs of the file prior to acquiring the JSON file or assume a role prior to accessing.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dolivasoh
Contributor
‎07-09-2015 09:12 PM

"Account A the logs are preserved in Account B." < If you simply added keys from both accounts to your config and configured CloudTrail inputs from both, this would preserve data from both accounts in Splunk. No real need to move anything between accounts here and if so, it's something you'd likely want to ask in an aws forum or chat.

View solution in original post

Reply
Solved! Jump to solution
Solution

dolivasoh
Contributor
‎07-09-2015 09:12 PM

"Account A the logs are preserved in Account B." < If you simply added keys from both accounts to your config and configured CloudTrail inputs from both, this would preserve data from both accounts in Splunk. No real need to move anything between accounts here and if so, it's something you'd likely want to ask in an aws forum or chat.

Reply
Solved! Jump to solution

acclaypool1
Explorer
‎07-10-2015 10:19 AM

Yeah, I was thinking about this wrong (skinning cats and what not). I ended up subscribing an SQS queue in Account B to the SNS topics in Account A. Then adding the keys from Account B to Splunk App from AWS. Thanks for the mental nudge!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...