All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use Cross-Account IAM role with Splunk Add-on for AWS

abow
Explorer
‎10-07-2024 12:19 PM

I am working to integrate Splunk with AWS to ingest CloudTrail logs. Looking at the documentation for the Splunk Add-on for AWS, under steps 3, 4, and 8 it says to create an IAM user, an access key, and then to input the key ID and secret ID into the Splunk Add-on:

https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Admin/AWSGDI#Step_3:_Create_a_Splunk_Acce...

Can we instead leverage a cross-account IAM role with an external ID for this purpose? We try to limit IAM user creation in our environment and this also creates additional management overhead, such as needing to regularly rotate the IAM user access key credentials. Leveraging a cross-account IAM role that can be assumed by Splunk Cloud is a much simpler (and more secure) implementation.

Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

abow
Explorer
‎03-03-2025 11:29 AM

Hi @Meett, just wanted to update on this old thread, we ended up using the Splunk Data Manager app to ingest AWS CloudTrail logs from an AWS S3 bucket using a cross-account IAM role that can be assumed by Splunk Cloud.

Splunk Data Manager documentation:

https://docs.splunk.com/Documentation/DM/1.12.0/User/About

Configure AWS for onboarding from a single account:

https://docs.splunk.com/Documentation/DM/1.12.0/User/AWSSingleAccount

You can use the above implementation to either ingest CloudTrail logs from a single AWS account or from your centralized logging account in an AWS Organization or Control Tower environment.

View solution in original post

Reply
Solved! Jump to solution

robj
Engager
‎02-28-2025 11:19 AM

I found that deploying a Splunk Heavy Forwarder and defining trust and permissions through an Instance Role to be effective for this.

Reply
Solved! Jump to solution

abow
Explorer
‎03-03-2025 11:59 AM

Hi @robj, thanks for the suggestion! That sounds like a solid option. Do you also have your heavy forwarder deployed in AWS?

We ended up using the Splunk Data Manager app to ingest AWS CloudTrail logs from an AWS S3 bucket using a cross-account IAM role that can be assumed by Splunk Cloud.

Splunk Data Manager documentation:

https://docs.splunk.com/Documentation/DM/1.12.0/User/About

Configure AWS for onboarding from a single account:

https://docs.splunk.com/Documentation/DM/1.12.0/User/AWSSingleAccount

You can use the above implementation to either ingest CloudTrail logs from a single AWS account or from your centralized logging account in an AWS Organization or Control Tower environment.

0 Karma
Reply
Solved! Jump to solution

Meett
Splunk Employee
Splunk Employee
‎10-07-2024 07:20 PM

Hello @abow Can you check this article : https://splunk.my.site.com/customer/s/article/How-to-make-Splunk-Add-on-for-AWS-to-fetch-data-via-cr... ? hope fully it will resolve you queries.

0 Karma
Reply
Solved! Jump to solution

abow
Explorer
‎10-08-2024 08:43 AM

Hi @Meett! Thanks sharing the article, this looks closer to what I'm looking to achieve.

Looking closer at this article, it still seems to reference an IAM user/access key ID for “Account A” in the example. This is what I would like to avoid if possible.

Is there any way for me to configure the trust policy on my AWS IAM role in my AWS account so that a Splunk-managed AWS IAM role in Splunk's account can be granted cross-account access to assume our role? Using sts:AssumeRole? Thanks!

0 Karma
Reply
Solved! Jump to solution

Meett
Splunk Employee
Splunk Employee
‎10-08-2024 08:21 PM

Hey @abow i don’t think that can work.

0 Karma
Reply
Solved! Jump to solution
Solution

abow
Explorer
‎03-03-2025 11:29 AM

Hi @Meett, just wanted to update on this old thread, we ended up using the Splunk Data Manager app to ingest AWS CloudTrail logs from an AWS S3 bucket using a cross-account IAM role that can be assumed by Splunk Cloud.

Splunk Data Manager documentation:

https://docs.splunk.com/Documentation/DM/1.12.0/User/About

Configure AWS for onboarding from a single account:

https://docs.splunk.com/Documentation/DM/1.12.0/User/AWSSingleAccount

You can use the above implementation to either ingest CloudTrail logs from a single AWS account or from your centralized logging account in an AWS Organization or Control Tower environment.

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
OSZAR »