CURRENT APPLICATION Splunk Add-on for AWS Version: 6.2.0 Build: 1658820915 Simple Architecture: Expected process by Splunk Add-on for AWS is as below: 1. Enable/configure cloud trail logs to s3 bucket and enable SNS topic 2. create standard SQS queue ( This queue will be used as Dead Letter queue in SQS queue creation of 3rd step) 3. Create standard SQS queue with below configuration Make sure your SQS queues have same configuration as below (except name, because your SQS will have different name) DLQ Configuration for SQS created in step 3 : Choose queue created in 2 step. after creating the queue from step 3 . open queue created from step 3 and subscribe to SNS topic Modify SQS created in step 3 Policy {
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:*",
"Resource": "<arn:aws:sqs:us-east-1:000000000000:this-sqs-queue>",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "<arn:aws:sns:us-east-1:000000000000:your-sns-topic"
}
}
} 4. Above enabled SNS topic will be subscribed by SQS Below is the SNS Access policy : easiest way to get this policy created is to create SNS topic while enabling SNS in cloud trail log setup. {
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "<arn:aws:sns:us-east-1:0000000000:sns-topic>",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "<account_id>"
}
}
},
{
"Sid": "AWSCloudTrailSNSPolicy20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "<arn:aws:sns:us-east-1:0000000000:sns-topic>",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "<arn:aws:cloudtrail:us-east-1:0000000000:trail/cloudtrail-events>"
}
}
}
]
} 5. Create IAM Policy ( Added permissions based on my best knowledge and keeping least privilege in mind) using below: Note: don't forget to change SQS and S3 ARNs {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sqs:ListQueues",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"sqs:ReceiveMessage",
"s3:GetBucketLogging",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetObject",
"s3:GetBucketCORS",
"s3:GetBucketLocation"
],
"Resource": [
"<arn:aws:sqs:us-east-1:00000000:sqs-name>",
"<arn:aws:s3:::bucket_name>",
"<arn:aws:s3:::bucket_name>/*>"
]
}
]
} 6. Create a new role and choose above IAM policy while creating. 7. create a user 8. In the role trust relationships add below policy to allow user to assume this role. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<arn:aws:iam::00000000000:user/created_in_step7>"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
} Note: don't try to copy and paste the above policy. some characters are will not be copied properly. especially IAM policy where it gives s3 permission to resource object "buket_arn/*"
... View more