Skip to content

Configure Metadata inputs for the Splunk Add-on for AWS

The Description input was deprecated in version 6.2.0 of the Splunk Add-on for AWS. The Metadata input has been added as a replacement. To continue data collection for the Description input, move your workloads to the Metadata input.

Complete the steps to configure Metadata inputs for the Splunk Add-on for Amazon Web Services (AWS):

  1. You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
  2. Configure AWS services for the Metadata input.
  3. Configure AWS permissions for the Metadata input.
  4. Configure Metadata inputs either through Splunk Web or configuration files.

Configure Metadata permissions

The following listed APIs are only supported in the US East (N. Virginia) (us-east-1) region.

*wafv2_list_available_managed_rule_group_versions_cloudfront
*wafv2_list_logging_configurations_cloudfront
*wafv2_list_ip_sets_cloudfront
See the following sample inline policy to configure Metadata input permissions by service: ===Amazon CloudFront===

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["cloudfront:ListDistributions"],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon Elastic Compute Cloud (Amazon EC2)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeRegions",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVolumes",
                "ec2:DescribeImages",
                "ec2:DescribeAddresses",
                "rds:DescribeDBInstances",
                "rds:DescribeReservedDBInstances"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon Elastic Kubernetes Service (Amazon EKS)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:ListClusters",
                "eks:DescribeCluster",
                "eks:ListNodegroups",
                "eks:DescribeNodegroup",
                "eks:ListAddons",
                "eks:DescribeAddon",
                "eks:ListFargateProfiles",
                "eks:ListIdentityProviderConfigs",
                "eks:DescribeIdentityProviderConfig",
                "eks:DescribeAddonVersions",
                "eks:ListUpdates",
                "eks:DescribeUpdate",
                "eks:ListTagsForResource",
                "tag:GetResources"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon Elastic Load Balancer (ELB)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeListeners"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon EMR (previously called Amazon Elastic MapReduce)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeReleaseLabel",
                "elasticmapreduce:DescribeStep",
                "elasticmapreduce:ListInstances",
                "elasticmapreduce:ListInstanceFleets",
                "elasticmapreduce:DescribeNotebookExecution",
                "elasticmapreduce:DescribeStudio",
                "elasticmapreduce:DescribeSecurityConfiguration",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListStudios",
                "elasticmapreduce:ListSecurityConfigurations",
                "elasticmapreduce:ListReleaseLabels",
                "elasticmapreduce:ListNotebookExecutions",
                "elasticmapreduce:ListSteps"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon ElastiCache

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheEngineVersions",
                "elasticache:DescribeCacheParameterGroups",
                "elasticache:DescribeCacheParameters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeEngineDefaultParameters",
                "elasticache:DescribeEvents",
                "elasticache:DescribeGlobalReplicationGroups",
                "elasticache:DescribeReplicationGroups",
                "elasticache:DescribeReservedCacheNodesOfferings",
                "elasticache:DescribeServiceUpdates",
                "elasticache:DescribeSnapshots",
                "elasticache:DescribeUpdateActions",
                "elasticache:DescribeUserGroups",
                "elasticache:DescribeUsers",
                "elasticache:DescribeReservedCacheNodes",
                "elasticache:ListTagsForResource",
                "tag:GetResources"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon API Gateway

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpnGateways",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeNatGateways",
                "ec2:DescribeLocalGateways",
                "ec2:DescribeCarrierGateways",
                "ec2:DescribeTransitGateways"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon GuardDuty

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "guardduty:ListDetectors",
                "guardduty:DescribePublishingDestination",
                "tag:GetResources",
                "guardduty:ListPublishingDestinations"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

AWS Identity and Access Management (IAM)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListServerCertificates",
                "iam:ListRolePolicies",
                "iam:ListMFADevices",
                "iam:ListSigningCertificates",
                "iam:ListSSHPublicKeys",
                "iam:GetUser",
                "iam:ListUsers",
                "iam:GetAccountPasswordPolicy",
                "iam:ListAccessKeys",
                "iam:GetAccessKeyLastUsed",
                "iam:ListPolicies",
                "iam:GetPolicyVersion",
                "iam:ListUserPolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListRoles",
                "iam:GetAccountAuthorizationDetails"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon Kinesis Data Firehose

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:ListStreams",
                "kinesis:ListShards",
                "kinesis:ListStreams",
                "kinesis:ListStreamConsumers",
                "kinesis:DescribeStreamConsumer",
                "kinesis:DescribeLimits",
                "firehose:ListDeliveryStreams",
                "firehose:DescribeDeliveryStream",
                "kinesis:DescribeStreamSummary",
                "tag:GetResources"
             ],
            "Resource": [
                "*"
            ]
        }
    ]
}

AWS Lambda

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

AWS Network Firewall

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "network-firewall:ListFirewalls",
                "network-firewall:DescribeFirewall",
                "network-firewall:DescribeLoggingConfiguration",
                "network-firewall:ListFirewallPolicies",
                "network-firewall:DescribeFirewallPolicy",
                "network-firewall:ListRuleGroups",
                "network-firewall:DescribeRuleGroup",
                "network-firewall:ListTagsForResource",
                "network-firewall:DescribeResourcePolicy",
                "logs:ListLogDeliveries",
                "logs:GetLogDelivery",
                "tag:GetResources"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon Route 53

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByVPC",
                "route53:ListReusableDelegationSets",
                "route53:ListQueryLoggingConfigs",
                "route53:ListTrafficPolicies",
                "route53:ListTrafficPolicyVersions",
                "route53:ListTrafficPolicyInstances",
                "route53:ListResourceRecordSets",
                "route53:ListTagsForResource",
                "tag:GetResources",
                "ec2:DescribeRegions",
                "ec2:DescribeVpcs"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

AWS WAF

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "waf:ListRules",
                "waf:ListRuleGroups",
                "waf:ListGeoMatchSets",
                "waf:ListByteMatchSets",
                "waf:ListActivatedRulesInRuleGroup",
                "waf:ListRegexMatchSets",
                "waf:ListRegexPatternSets",
                "waf:ListIPSets",
                "waf:ListRateBasedRules",
                "waf:ListLoggingConfigurations",
                "waf:ListWebACLs",
                "waf:ListSizeConstraintSets",
                "waf:ListXssMatchSets",
                "waf:ListSqlInjectionMatchSets",
                "waf:ListTagsForResource",
                "tag:GetResources"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

AWS WAFv2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "wafv2:ListAvailableManagedRuleGroupVersions",
                "wafv2:ListLoggingConfigurations",
                "wafv2:ListIPSets",
                "wafv2:ListTagsForResource",
                "tag:GetResources",
                "wafv2:ListAvailableManagedRuleGroups",
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon S3

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketCORS",
                "s3:GetLifecycleConfiguration",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketTagging"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Amazon Virtual Private Cloud (Amazon VPC)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Configure a Metadata input using Splunk Web

To configure inputs in Splunk Web:

  1. Click Splunk Add-on for AWS in the navigation bar on Splunk Web home.
  2. Click Create New Input > Metadata.
  3. Fill out the fields as described in the following table:
Argument in configuration file Field in Splunk Web Description
account AWS Account The AWS account or EC2 IAM role the Splunk platform uses to access your Metadata data. In Splunk Web, select an account from the drop-down list. In aws_metadata_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the automatically discovered EC2 IAM role.
regions AWS Regions The AWS regions for which you are collecting Metadata data. In Splunk Web, select one or more regions from the drop-down list. In aws_metadata_tasks.conf, enter one or more valid AWS region IDs, separated by commas. See AWS service endpoints.
apis APIs/Interval (seconds) APIs you want to collect data from, and intervals for each API, in the format of <api name>/<api interval in seconds>,<api name>/<api interval in seconds>. The default value in Splunk Web is ec2_volumes/3600,ec2_instances/3600,ec2_reserved_instances/3600,ebs_snapshots/3600,elastic_load_balancers/3600,vpcs/3600,vpc_network_acls/3600,cloudfront_distributions/3600,vpc_subnets/3600,rds_instances/3600,ec2_key_pairs/3600,ec2_security_groups/3600. This value collects from all of the APIs supported in this release. Set your intervals to 3,600 seconds (1 hour) or longer to avoid rate limiting errors.
aws_iam_role Assume Role The IAM role to assume, see Manage accounts for the Splunk Add-on for AWS.
sourcetype Source type A source type for the events. Enter aws:metadata.
index Index The index name where the Splunk platform puts the Metadata data. The default is main.
retry_max_attempts Retry Max Attempts Specify the maximum number of retry attempts, if there is an error in the response of a request.

Configure a Metadata input using configuration files

To configure a Metadata input using configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_metadata_tasks.conf using the following template:

[<name>]
account = <value>
regions = <values split by commas>
apis = <value>
aws_iam_role = <value>
sourcetype = <value>
index = <value>
retry_max_attempts = <value>

Here is an example stanza that collects metadata data from all supported APIs:

[desc:splunkapp2]
account = splunkapp2
regions = us-west-2
apis = ec2_volumes/3600, ec2_instances/3600, ec2_reserved_instances/3600, ebs_snapshots/3600, classic_load_balancers/3600, application_load_balancers/3600, vpcs/3600, vpc_network_acls/3600, cloudfront_distributions/3600, vpc_subnets/3600, rds_instances/3600, ec2_key_pairs/3600, ec2_security_groups/3600, ec2_images/3600, ec2_addresses/3600, lambda_functions/3600, s3_buckets/3600, iam_users/3600, iam_list_policies/3600
aws_iam_role = iam_users
sourcetype = aws:metadata
index = default
retry_max_attempts = 5