- It enumerates all accounts from an AWS Organizations master account
- It describes the following resources in every AWS region and in every account previously found:
- EC2 instances
- S3 buckets and their policy
- (more to come)
To plug the information gap between CMDB's and reality in a structural way. CMDB's are rarely up-to-date and acurate because they aren't the primary source of truth. The best place to query asset reality is through primary sources like platform API's.
This add-on only needs two parameters to reach an acurate 99% picture of cloud assets. Doing this with the Splunk AWS add-on involves a lot of manual work. It also involves eternal vigilance because new accounts aren't automatically included. This add-on fixes that.
You can, by enriching the data from this add-on with information about short living instances through Cloudtrail logging of API requests (RunInstances or StartInstances).
Install this add-on on a Splunk Enterprise instance, heavy forwarder style.
Create a new "Accounts" input:
- Give the input a name, e.g. "All_Accounts"
- Specify an interval for data collection, e.g. 86400 for daily
- Specify a Splunk index to dump the information in
- Specify a role within the AWS master account to assume, and is allowed to perform ListAccounts (e.g. arn:aws:iam::123456789:role/tf-list-accounts-role
Note: you do not need this input for other inputs to work. Only use this input if you're interested in account information for futher correlation within Splunk searches
Create a new "EC2" input:
- Give the input a name, e.g. "All_EC2"
- Specify an interval for data collection, e.g. 86400 for daily
- Specify a Splunk index to dump the information in
- Specify a role within the AWS master account to assume, and is allowed to perform ListAccounts (e.g. arn:aws:iam::123456789:role/tf-list-accounts-role
- Specify the last constant part of the arn in every account that is allowed to perform DescibeInstances (e.g. tf-ec2-describe-role)
This requires some setup up front by your friendly AWS administrator. Every account, and every new account should contain a role that this input is allowed to assume, and is allowed to perform DescribeInstances. Since you're in AWS, this should probably be automated ad fundum anyway.