Skip to content

Create an IAM role and assign it to your AWS account.

Create an IAM role and assign it to your AWS account

To configure AWS accounts and permissions, you must have administrator rights in the AWS Management Console. If you do not have administrator access, work with your AWS admin to set up the accounts with the required permissions.

  • To let the Splunk Add-on for Amazon Web Services access the data in your AWS account, you assign an IAM role to one or more AWS accounts. You then grant those roles the permissions that are required by the AWS account.
  • If you run this add-on on a Splunk platform instance in your own managed Amazon Elastic Compute Cloud (EC2), then assign that EC2 to a role and give that role the IAM permissions listed here.

Manage IAM policies

There are three ways to manage policies for your IAM roles:

  • Use the AWS Policy Generator tool to collect all permissions into one centrally managed policy. You can apply the policy to the IAM group that is used by the user accounts or the EC2s that the Splunk Add-on for AWS uses to connect to your AWS environment.
  • Create multiple different users, groups, and roles with permissions specific to the services from which you plan to collect data.
  • Copy and paste the sample policies provided on this page and apply them to an IAM Group as custom inline policies. To further specify the resources to which the policy grants access, replace the wildcards with the exact Amazon Resource Names (ARNs) of the resources in your environment.

For more information about working with inline policies, see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html in the AWS documentation.

Create and configure roles to delegate permissions to IAM users

The Splunk Add-on for AWS supports the AWS Security Token Service (AWS STS) AssumeRole API action that lets you use IAM roles to delegate permissions to IAM users to access AWS resources.

The AssumeRole API returns a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token that an AWS account can use to access AWS resources that it might not normally have access to.

To assume a role, your AWS account must be trusted by that role. The trust relationship is defined in the role’s trust policy when that role is created. That trust policy states which user accounts are allowed to delegate access to this account’s role.

To access the role, you must also have permissions delegated from the role’s administrator. If you are in a different account, then your administrator must attach a policy that allows the user to call AssumeRole on the ARN of the role in the other account. If you are in the same account as the role, then you can either attach a policy to the user identical to the previous different account user, or you can add the user as a principal directly in the role’s trust policy.

To create an IAM role, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html in the AWS documentation.

After creating the role, use the AWS Management Console to modify the trust relationship to allow the IAM user to assume the newly created role. The following example shows a trust relationship that allows a role to be assumed by an IAM user named johndoe:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/johndoe"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Next, grant your IAM user permission to assume the role. The following example shows an AWS IAM policy that allows an IAM user to assume the s3admin role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
          "Effect": "Allow",
          "Action": "sts:AssumeRole",
          "Resource": "arn:aws:iam::123456789012:role/s3admin"
        }
    ]
}