Configuring AWS S3 to Send Avanan Logs to Splunk
-
Go to AWS IAM: https://console.aws.amazon.com/iam/home#/home.
Note:To limit Avanan's access to your AWS S3 bucket, you have to create a new user, group, policy, and role to use.
-
Create a new user.
-
Click Users > Add User.
-
Select a name, enable Programmatic access, and click Next: Permissions.
-
Click Create group or select the group if already created.
-
On the new tab, click JSON and copy this over.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "kms:Decrypt" ], "Resource": "*" } ] } -
Click Review Policy, select the policy name and click Create Policy.
- Go back to the previous tab and click Refresh.
-
Select the policy created, give a group name and click Create group.
-
Go back to the Add user screen, confirm that the group you just created is selected and click Next: Tags.
- Add the necessary Tags (in accordance with your environment directives) and click Next: Review.
-
Confirm all the configurations and click Create user.
Note:Download the CSV file or copy the Access Key and Secret access key to a safe location. This information won't be available again. - Click Close.
-
Click Users > Add User.
- Click Roles > Create Role.
- Select Another AWS Account.
-
Insert the 12 digit number of your account and click Next: Permissions.
Note:To find the 12 digit number, open the user on another screen.
-
Select the policy created, and click Next: Tags.
- Add the necessary Tags (in accordance with your environment directives) and click Next: Review.
-
Select a role name and click Create Role.
-
Search for the role you created and click on its name.
-
Copy the Role ARN.
-
Open Splunk and install the Splunk Add-on for Amazon Web Services, if not already installed.
-
Open Splunk Add-on for AWS.
-
Click Configuration > Account > Add and enter the Key ID and Secret Key generated when the user was created and click Add.
-
Click IAM Role > Add and enter the Role ARN.
-
Click Inputs > Create New Input > Custom Data Type > Generic S3.
- Select a name for the Input, the AWS Account and the Assume Role you configured above, the S3 Bucket Avanan is uploading the logs, a start datetime.
-
Under Advanced Settings, set the Polling Interval to 900 s (15 minutes).
Note:By default, Avanan uploads the logs even before the polling interval when they reach 5 MB.
-
Click Save.
Now, Splunk reads the logs from the S3 bucket while Avanan uploads them to the S3 bucket.