Configure Metadata inputs for the Splunk Add-on for AWS¶
The Description input was deprecated in version 6.2.0 of the Splunk Add-on for AWS. The Metadata input has been added as a replacement. To continue data collection for the Description input, move your workloads to the Metadata input.
Complete the steps to configure Metadata inputs for the Splunk Add-on for Amazon Web Services (AWS):
- You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
- Configure AWS services for the Metadata input.
- Configure AWS permissions for the Metadata input.
- Configure Metadata inputs either through Splunk Web or configuration files.
Configure Metadata permissions¶
The following listed APIs are only supported in the US East (N. Virginia) (us-east-1) region.
*wafv2_list_available_managed_rule_group_versions_cloudfront
*wafv2_list_logging_configurations_cloudfront
*wafv2_list_ip_sets_cloudfront
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["cloudfront:ListDistributions"],
"Resource": [
"*"
]
}
]
}
Amazon Elastic Compute Cloud (Amazon EC2)¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeReservedInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeRegions",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVolumes",
"ec2:DescribeImages",
"ec2:DescribeAddresses",
"rds:DescribeDBInstances",
"rds:DescribeReservedDBInstances"
],
"Resource": [
"*"
]
}
]
}
Amazon Elastic Kubernetes Service (Amazon EKS)¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:ListClusters",
"eks:DescribeCluster",
"eks:ListNodegroups",
"eks:DescribeNodegroup",
"eks:ListAddons",
"eks:DescribeAddon",
"eks:ListFargateProfiles",
"eks:ListIdentityProviderConfigs",
"eks:DescribeIdentityProviderConfig",
"eks:DescribeAddonVersions",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:ListTagsForResource",
"tag:GetResources"
],
"Resource": [
"*"
]
}
]
}
Amazon Elastic Load Balancer (ELB)¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeListeners"
],
"Resource": [
"*"
]
}
]
}
Amazon EMR (previously called Amazon Elastic MapReduce)¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeReleaseLabel",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:ListInstances",
"elasticmapreduce:ListInstanceFleets",
"elasticmapreduce:DescribeNotebookExecution",
"elasticmapreduce:DescribeStudio",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListStudios",
"elasticmapreduce:ListSecurityConfigurations",
"elasticmapreduce:ListReleaseLabels",
"elasticmapreduce:ListNotebookExecutions",
"elasticmapreduce:ListSteps"
],
"Resource": [
"*"
]
}
]
}
Amazon ElastiCache¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheEngineVersions",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeEngineDefaultParameters",
"elasticache:DescribeEvents",
"elasticache:DescribeGlobalReplicationGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeReservedCacheNodesOfferings",
"elasticache:DescribeServiceUpdates",
"elasticache:DescribeSnapshots",
"elasticache:DescribeUpdateActions",
"elasticache:DescribeUserGroups",
"elasticache:DescribeUsers",
"elasticache:DescribeReservedCacheNodes",
"elasticache:ListTagsForResource",
"tag:GetResources"
],
"Resource": [
"*"
]
}
]
}
Amazon API Gateway¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpnGateways",
"ec2:DescribeInternetGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeLocalGateways",
"ec2:DescribeCarrierGateways",
"ec2:DescribeTransitGateways"
],
"Resource": [
"*"
]
}
]
}
Amazon GuardDuty¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"guardduty:ListDetectors",
"guardduty:DescribePublishingDestination",
"tag:GetResources",
"guardduty:ListPublishingDestinations"
],
"Resource": [
"*"
]
}
]
}
AWS Identity and Access Management (IAM)¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:ListRolePolicies",
"iam:ListMFADevices",
"iam:ListSigningCertificates",
"iam:ListSSHPublicKeys",
"iam:GetUser",
"iam:ListUsers",
"iam:GetAccountPasswordPolicy",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:ListUserPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListRoles",
"iam:GetAccountAuthorizationDetails"
],
"Resource": [
"*"
]
}
]
}
Amazon Kinesis Data Firehose¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:ListShards",
"kinesis:ListStreams",
"kinesis:ListStreamConsumers",
"kinesis:DescribeStreamConsumer",
"kinesis:DescribeLimits",
"firehose:ListDeliveryStreams",
"firehose:DescribeDeliveryStream",
"kinesis:DescribeStreamSummary",
"tag:GetResources"
],
"Resource": [
"*"
]
}
]
}
AWS Lambda¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": [
"*"
]
}
]
}
AWS Network Firewall¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-firewall:ListFirewalls",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeLoggingConfiguration",
"network-firewall:ListFirewallPolicies",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:ListRuleGroups",
"network-firewall:DescribeRuleGroup",
"network-firewall:ListTagsForResource",
"network-firewall:DescribeResourcePolicy",
"logs:ListLogDeliveries",
"logs:GetLogDelivery",
"tag:GetResources"
],
"Resource": [
"*"
]
}
]
}
Amazon Route 53¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListHostedZonesByVPC",
"route53:ListReusableDelegationSets",
"route53:ListQueryLoggingConfigs",
"route53:ListTrafficPolicies",
"route53:ListTrafficPolicyVersions",
"route53:ListTrafficPolicyInstances",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"tag:GetResources",
"ec2:DescribeRegions",
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
AWS WAF¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"waf:ListRules",
"waf:ListRuleGroups",
"waf:ListGeoMatchSets",
"waf:ListByteMatchSets",
"waf:ListActivatedRulesInRuleGroup",
"waf:ListRegexMatchSets",
"waf:ListRegexPatternSets",
"waf:ListIPSets",
"waf:ListRateBasedRules",
"waf:ListLoggingConfigurations",
"waf:ListWebACLs",
"waf:ListSizeConstraintSets",
"waf:ListXssMatchSets",
"waf:ListSqlInjectionMatchSets",
"waf:ListTagsForResource",
"tag:GetResources"
],
"Resource": [
"*"
]
}
]
}
AWS WAFv2¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"wafv2:ListAvailableManagedRuleGroupVersions",
"wafv2:ListLoggingConfigurations",
"wafv2:ListIPSets",
"wafv2:ListTagsForResource",
"tag:GetResources",
"wafv2:ListAvailableManagedRuleGroups",
],
"Resource": [
"*"
]
}
]
}
Amazon S3¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetAccelerateConfiguration",
"s3:GetBucketCORS",
"s3:GetLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketTagging"
],
"Resource": [
"*"
]
}
]
}
Amazon Virtual Private Cloud (Amazon VPC)¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkAcls",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
Configure a Metadata input using Splunk Web¶
To configure inputs in Splunk Web:
- Click Splunk Add-on for AWS in the navigation bar on Splunk Web home.
- Click Create New Input > Metadata.
- Fill out the fields as described in the following table:
| Argument in configuration file | Field in Splunk Web | Description |
|---|---|---|
account |
AWS Account | The AWS account or EC2 IAM role the Splunk platform uses to access your Metadata data. In Splunk Web, select an account from the drop-down list. In aws_metadata_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the automatically discovered EC2 IAM role. |
regions |
AWS Regions | The AWS regions for which you are collecting Metadata data. In Splunk Web, select one or more regions from the drop-down list. In aws_metadata_tasks.conf, enter one or more valid AWS region IDs, separated by commas. See AWS service endpoints. |
apis |
APIs/Interval (seconds) | APIs you want to collect data from, and intervals for each API, in the format of <api name>/<api interval in seconds>,<api name>/<api interval in seconds>. The default value in Splunk Web is ec2_volumes/3600,ec2_instances/3600,ec2_reserved_instances/3600,ebs_snapshots/3600,elastic_load_balancers/3600,vpcs/3600,vpc_network_acls/3600,cloudfront_distributions/3600,vpc_subnets/3600,rds_instances/3600,ec2_key_pairs/3600,ec2_security_groups/3600. This value collects from all of the APIs supported in this release. Set your intervals to 3,600 seconds (1 hour) or longer to avoid rate limiting errors. |
aws_iam_role |
Assume Role | The IAM role to assume, see Manage accounts for the Splunk Add-on for AWS. |
sourcetype |
Source type | A source type for the events. Enter aws:metadata. |
index |
Index | The index name where the Splunk platform puts the Metadata data. The default is main. |
retry_max_attempts |
Retry Max Attempts | Specify the maximum number of retry attempts, if there is an error in the response of a request. |
Configure a Metadata input using configuration files¶
To configure a Metadata input using configuration files, create
$SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_metadata_tasks.conf
using the following template:
[<name>]
account = <value>
regions = <values split by commas>
apis = <value>
aws_iam_role = <value>
sourcetype = <value>
index = <value>
retry_max_attempts = <value>
Here is an example stanza that collects metadata data from all supported APIs:
[desc:splunkapp2]
account = splunkapp2
regions = us-west-2
apis = ec2_volumes/3600, ec2_instances/3600, ec2_reserved_instances/3600, ebs_snapshots/3600, classic_load_balancers/3600, application_load_balancers/3600, vpcs/3600, vpc_network_acls/3600, cloudfront_distributions/3600, vpc_subnets/3600, rds_instances/3600, ec2_key_pairs/3600, ec2_security_groups/3600, ec2_images/3600, ec2_addresses/3600, lambda_functions/3600, s3_buckets/3600, iam_users/3600, iam_list_policies/3600
aws_iam_role = iam_users
sourcetype = aws:metadata
index = default
retry_max_attempts = 5