Sending AWS Logs to Splunk

Northwestern IT maintains a Splunk instance for capturing, indexing, searching, and aggregating event data. Splunk natively supports ingesting logs and event data from various sources in Amazon Web Services, including CloudTrail, S3 and CloudFront access logs, AWS Config Rules, even generic log files stored in S3. 

For more information about Splunk, refer to these resources:

• Northwestern Splunk Community of Practice (Teams) 
• Splunk Documentation 
• Splunk Add-On for AWS Documentation 

The process of sending logs from AWS to Splunk consists of these steps: 

1. Creating an IAM Read Only Access Policy 
2. Creating an IAM Role for Splunk Access 
3. Sending the role and event source details to the Northwestern Splunk support team 
4. Logging in to Splunk and confirm the events are indexed properly 

1. Creating an IAM Read Only Access Policy for Splunk 

The first step entails the creation of an IAM policy that provides read only access to a Splunk role. This step assumes that you have not already created an IAM Read Only Access Policy for this Splunk access role. If you have created an IAM Policy for this Splunk role, please jump to the “Create an IAM Role for Splunk Access” section of this page. 

Log in to your AWS account with a role that allows you to create and modify IAM roles and policies. 

Navigate to IAM page. Proceed to the “Policies” page using the navigation pane to the left and click the “Create policy” button in the upper right-hand corner of the page.  

We are going to specify the permission for this policy using JSON. On the “Specify permissions” page, click the “JSON” tab, clear the contents present in the “Policy creator” box, and paste in the following JSON policy document: 

{ 
"Version": "2012-10-17", 

"Statement": [ 

    { 

      "Effect": "Allow", 

      "Action": [ 

        "sqs:GetQueueAttributes", 

        "sqs:ListQueues", 

        "sqs:ReceiveMessage", 

        "sqs:GetQueueUrl", 

        "sqs:SendMessage", 

        "sqs:DeleteMessage", 

        "s3:ListBucket", 

        "s3:GetObject", 

        "s3:GetBucketLocation", 

        "s3:ListAllMyBuckets", 

        "s3:GetBucketTagging",  

        "s3:GetAccelerateConfiguration",  

        "s3:GetBucketLogging",  

        "s3:GetLifecycleConfiguration",  

        "s3:GetBucketCORS", 

        "config:DeliverConfigSnapshot", 

        "config:DescribeConfigRules", 

        "config:DescribeConfigRuleEvaluationStatus", 

        "config:GetComplianceDetailsByConfigRule", 

        "config:GetComplianceSummaryByConfigRule", 

        "iam:GetUser", 

        "iam:ListUsers", 

        "iam:GetAccountPasswordPolicy", 

        "iam:ListAccessKeys", 

        "iam:GetAccessKeyLastUsed",  

        "autoscaling:Describe*", 

        "cloudwatch:Describe*", 

        "cloudwatch:Get*", 

        "cloudwatch:List*", 

        "sns:Get*", 

        "sns:List*", 

        "sns:Publish", 

        "logs:DescribeLogGroups", 

        "logs:DescribeLogStreams", 

        "logs:GetLogEvents", 

        "ec2:DescribeInstances", 

        "ec2:DescribeReservedInstances", 

        "ec2:DescribeSnapshots", 

        "ec2:DescribeRegions", 

        "ec2:DescribeKeyPairs", 

        "ec2:DescribeNetworkAcls", 

        "ec2:DescribeSecurityGroups", 

        "ec2:DescribeSubnets", 

        "ec2:DescribeVolumes", 

        "ec2:DescribeVpcs", 

        "ec2:DescribeImages", 

        "ec2:DescribeAddresses", 

        "lambda:ListFunctions", 

        "rds:DescribeDBInstances", 

        "cloudfront:ListDistributions", 

        "elasticloadbalancing:DescribeLoadBalancers", 

        "elasticloadbalancing:DescribeInstanceHealth", 

        "elasticloadbalancing:DescribeTags", 

        "elasticloadbalancing:DescribeTargetGroups", 

        "elasticloadbalancing:DescribeTargetHealth", 

        "elasticloadbalancing:DescribeListeners", 

        "inspector:Describe*", 

        "inspector:List*", 

        "kinesis:Get*", 

        "kinesis:DescribeStream", 

        "kinesis:ListStreams", 

        "kms:Decrypt", 

        "sts:AssumeRole" 

      ], 

      "Resource": [ 

        "*" 

      ] 

    } 

  ] 

}

Your page should look like the one found below. 

The policy we used will grant Splunk read-only access to all services in AWS it is able to index. To grant access to only specific services or resources, refer to https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions for examples. 

Clicking the “Next” button on the bottom right of the page allows us to review and create the policy. Give the policy a unique name (such as “SplunkReadOnly”) and click the “Create Policy” button on the bottom right. 

You will know that the policy has been successfully created when you see the confirmation message at the top of the page. 

2. Create an IAM Role for Splunk Access 

While still logged into your AWS account with a role that allows you to create and modify IAM roles and policies, navigate to Roles in the navigation pane to the left, then click the “Create Role” button found on the top right corner of the page. 

On the next screen, choose “Another AWS account” and enter “878935811476” as the Account ID (this is the Account ID of the AWS account used by Northwestern IT for Splunk access). Click “Next” in the bottom right hand corner. 

Search for your new policy by name in the search box, click the checkbox to the left of your policy, and click “Next”. 

Give your new role any tags you wish (for example: Application = Splunk) then click on “Create role”. 

Give the role a name (example: “SplunkAccessRole”) and then click the “Create Role” button. 

On the IAM role screen, search for your newly created role by name, then click on it. Click the “Trust Relationship” tab, then click the “Edit trust relationship” button: 
 

Paste in the following JSON document (this step further limits access to your role to only the IAM user used by Splunk): 

{ 

  "Version": "2012-10-17", 

  "Statement": [ 

    { 

      "Effect": "Allow", 

      "Principal": { 

        "AWS": "arn:aws:iam::878935811476:user/SplunkAccessUser" 

      }, 

      "Action": "sts:AssumeRole", 

      "Condition": {} 

    } 

  ] 

} 

Then click “Update Trust Policy”. 

3. Send IAM Role ARN and Event Source Details to the Splunk team 

On the Summary page for your role in the AWS IAM console, copy the Role ARN. 

Create a ticket in TeamDynamix, either manually or via email to consultant@northwestern.edu, and include the following information: 

1. A statement that you are requesting new events to be indexed in Splunk (so the ticket is assigned to the correct team) 
2. The Role ARN you copied from the AWS IAM console 
3. Details of the events/logs you want indexed in Splunk. Depending on the event source type, you will need to include certain extra information (for example for S3 access logs, include the S3 bucket name). Documentation for the available Splunk AWS source types is available here: https://docs.splunk.com/Documentation/AddOns/released/AWS/DataTypes 

4. Confirm Events are Being Indexed Properly 

Once the TeamDynamix ticket is completed, you can log into Splunk at https://splunk.northwestern.edu/ and search for events. Refer to https://docs.splunk.com/Documentation/AddOns/released/AWS/DataTypes for the sourcetype value to use in Splunk to search for each data source.