Configuring AWS S3 to Send Avanan Logs to Splunk

  1. Go to AWS IAM: https://console.aws.amazon.com/iam/home#/home.
    Note:
    To limit Avanan's access to your AWS S3 bucket, you have to create a new user, group, policy, and role to use.
  2. Create a new user.
    1. Click Users > Add User.
    2. Select a name, enable Programmatic access, and click Next: Permissions.
    3. Click Create group or select the group if already created.
    4. On the new tab, click JSON and copy this over.
      {
                      "Version": "2012-10-17",
                      "Statement": [
                      {
                      "Effect": "Allow",
                      "Action": [
                      "s3:ListBucket",
                      "s3:GetObject",
                      "s3:ListAllMyBuckets",
                      "s3:GetBucketLocation",
                      "kms:Decrypt"
                      ],
                      "Resource": "*"
                      }
                      ]
                      }
    5. Click Review Policy, select the policy name and click Create Policy.
    6. Go back to the previous tab and click Refresh.
    7. Select the policy created, give a group name and click Create group.
    8. Go back to the Add user screen, confirm that the group you just created is selected and click Next: Tags.
    9. Add the necessary Tags (in accordance with your environment directives) and click Next: Review.
    10. Confirm all the configurations and click Create user.
      Note:
      Download the CSV file or copy the Access Key and Secret access key to a safe location. This information won't be available again.
    11. Click Close.
  3. Click Roles > Create Role.
  4. Select Another AWS Account.
  5. Insert the 12 digit number of your account and click Next: Permissions.
    Note:
    To find the 12 digit number, open the user on another screen.
  6. Select the policy created, and click Next: Tags.
  7. Add the necessary Tags (in accordance with your environment directives) and click Next: Review.
  8. Select a role name and click Create Role.
  9. Search for the role you created and click on its name.
  10. Copy the Role ARN.
  11. Open Splunk and install the Splunk Add-on for Amazon Web Services, if not already installed.
  12. Open Splunk Add-on for AWS.
  13. Click Configuration > Account > Add and enter the Key ID and Secret Key generated when the user was created and click Add.
  14. Click IAM Role > Add and enter the Role ARN.
  15. Click Inputs > Create New Input > Custom Data Type > Generic S3.
  16. Select a name for the Input, the AWS Account and the Assume Role you configured above, the S3 Bucket Avanan is uploading the logs, a start datetime.
  17. Under Advanced Settings, set the Polling Interval to 900 s (15 minutes).
    Note:
    By default, Avanan uploads the logs even before the polling interval when they reach 5 MB.
  18. Click Save.

    Now, Splunk reads the logs from the S3 bucket while Avanan uploads them to the S3 bucket.