Integrations - Splunk - Using AWS S3 (Part 1 of 2)
Print
Created by: Chris Black
Modified on: Thu, 2 Sep, 2021 at 9:12 AM
Description
Integrating MPmail Avanan with AWS S3 for Splunk logs
Requirements
- An admin login to Amazon AWS
- An admin login to the MPmail Avanan tenancy
The Process
- Go to AWS IAM: https://console.aws.amazon.com/iam/home#/home
- Click on Users > Add user
- Select a name and enable “Programmatic access”, click “Next: Permissions”
- Click on “Create group” (or the right group if already created)
Click on “Create policy” (or select the right policy if already created)
On the new tab, click on JSON and copy this over:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR_S3_BUCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::YOUR_S3_BUCKET/THE_LOG_FOLDER_IF_ANY/*"
]
}
]
}
- Click on Review Policy
Select the policy you just created, give the group a name and click on “Create group”
- After the policy is created, go back to the previous tab and click “Refresh”
On the next screen, select a policy name and click on “Create Policy”
- Back to the “Add user” screen, confirm that the group you just created is selected and click on “Next: Tags”
- Add the necessary Tags (in accordance with your environment directives) and click on “Next: Review”
Confirm all the configurations and click on “Create user”
- Click on Roles and on “Create role”
Select Another AWS Account
Insert the 12 digit number of the user you just created click on “Next: Permissions”
Note: to find the 12 digit number, open the user on another screen:
- Select the policy you created, click on Next: Tags
- Add the necessary Tags (in accordance with your environment directives) and click on Next: Review
- Select a role name and click on Create Role
- Search for the role you just created, click on its name
- Select “Trust relationships” and click on “Edit trust relationship”
- Copy the following over and click on “Update Trust Policy”
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::731485868276:user/avanan-s3-log-uploader"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "avanan-s3-logs"
}
}
}
]
}
- Copy the Role ARN to use on the Avanan side
- Back on Avanan, go to Configuration > Security App Store
Find Splunk on the list and click on Configure (if the button is grey out, the module is not enabled, click on the round “PLAY” button to enable it and refresh the page)
- Copy your Role ARN, bucket name, and select a region. Insert the subfolder you want the logs to be uploaded to, if any (they will be uploaded to the root directory if left empty).
Select “Report security events to Splunk” if you want all new security events to be uploaded (recommended).
Select “Include entity profile link” if you want to add a link to the entity profile on Avanan to the JSON logs.
Click on “Ok” to save. The Avanan-S3 side of the integration is done.
Chris is the author of this solution article.
Did you find it helpful?
Yes
No
Send feedback Sorry we couldn't be helpful. Help us improve this article with your feedback.
