Config Rules inputs
Configure Config Rules inputs for the Splunk Add-on for AWS
Complete the steps to configure Config Rules inputs for the Splunk Add-on for Amazon Web Services (AWS):
- You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
- Configure AWS services for the Config Rules input.
- Configure AWS permissions for the Config Rules input.
- Configure Config Rules inputs either through Splunk Web or configuration files.
Configure AWS services for the Config Rules input¶
- Enable AWS Config for all regions for which you want to collect data in the add-on. Follow the steps in the AWS documentation. See http://docs.aws.amazon.com/config/latest/developerguide/setting-up.html.
- Set up AWS Config Rules by following the instructions in the AWS Config documentation. See http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_set-up.html.
- Grant the necessary permissions to the AWS account used for this input.
Configure AWS permissions for the Config Rules input¶
You need these required permissions for Config:
DescribeConfigRulesDescribeConfigRuleEvaluationStatusGetComplianceDetailsByConfigRuleGetComplianceSummaryByConfigRule
See the following sample inline policy to configure Config Rules input permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:DescribeConfigRules",
"config:DescribeConfigRuleEvaluationStatus",
"config:GetComplianceDetailsByConfigRule",
"config:GetComplianceSummaryByConfigRule"
],
"Resource": "*"
}
]
}
For more information and sample policies, see http://docs.aws.amazon.com/config/latest/developerguide/example-policies.html
When you create a config rule, do not select more than 25 config rules per region. Selecting more than 25 config rules during input configuration will result in no data collection.
Configure a Config Rules input using Splunk Web¶
To configure inputs using Splunk Web:
- Click Splunk Add-on for AWS in the left navigation bar on Splunk Web home.
- Click Create New Input > Config Rules.
- Fill out the fields as described in the table:
| Argument in configuration file | Field in Splunk Web | Description |
|---|---|---|
aws_account |
AWS Account | The AWS account or EC2 IAM role the Splunk platform uses to access your Config Rules data. In Splunk Web, select an account from the drop-down list. |
region |
Region | The AWS region that contains the Config Rules. See the AWS documentation for more information. |
rule_names |
Config Rules | Config Rules names in a comma-separated list. Leave blank to collect all rules. |
sourcetype |
Source Type | A source type for the events. Enter a value only if you want to override the default of aws:config:rule. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well. |
index |
Index | The index name where the Splunk platform puts the Config Rules data. The default is main. |
polling_interval |
Polling Interval | The data collection interval, in seconds. The default is 300 seconds. |
Configure a Config Rules input using configuration files¶
To configure the input using configuration files, create
$SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_config_rule_tasks.conf
using the following template:
[<name>]
account = <value>
region = <value>
rule_names = <value>
sourcetype = <value>
polling_interval = <value>
index = <value>
Here is an example stanza that collects Config Rules data for just two rules:
[splunkapp2:us-east-1]
account = splunkapp2
region = us-east-1
rule_names=required-tags,restricted-common-ports
sourcetype = aws:config:rule
polling_interval = 300
index = aws