I'm unable to setup an install of Splunk Enterprise (6.6.0) to read cloudtrail logs from a s3 bucket using the Splunk Add-on for Amazon Web Services. The cloudtrail logs are encrypted with kms. The instance running Splunk has a instance role (named splunk), to which I have added the single policy defined here: https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions#Configure_one_policy_containing_permissions_for_all_inputs
I also grant the role the ability to decrypt using the kms key:
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": ""
}
When adding the AWS S3 input:
- I choose "splunk" as the AWS account - I assume this is the instance role, but odd that it shows under Account.
- Blank assume role
- Default s3 hostname of s3.amazonaws.com
- Specified my s3 bucket
- On settings tab chose CloudTrail as the log type, the rest default
- On templates tab I provided a prefix of "auditlog" as that is the prefix cloudtrail is configured to write with.
When I click "Create", it spins for a few seconds then reports an error of:
{"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"S3ResponseError: 403 Forbidden\n\". See splunkd.log for more details."}]}
I do have VPC endpoint for s3 setup for the vpc, and it has the default policy to grant star dot star.
Anyone know what I am doing wrong? Any help appreciated, thanks
↧
