Update your AWS policies

Note: This topic covers the Update policies step of the workflow for adding a new Amazon S3 federated provider. You cannot follow this step until you complete the steps that precede it in the workflow. See the checklist of tasks to set up Federated Search for Amazon S3.

In this task, you do the following things:

  • Copy and paste the AWS Identity and Access Management (IAM) policies that Splunk software has generated for you into appropriate locations in the Amazon account to which your Amazon S3 federated provider connects. After you complete the Provider details step of the the workflow for adding a new Amazon S3 federated provider, you should find IAM policies for:
    • Each Amazon S3 location and AWS KMS key you listed in the federated provider definition.
    • The AWS Glue Data Catalog that your AWS Glue tables belong to, if you have created your own AWS Glue tables.
  • Confirm that the Requester Pays setting for your Amazon S3 buckets is turned off in Amazon S3.
  • Create the federated provider with which the policies are associated.

Prerequisites

In the Provider details step of the the workflow for adding a new Amazon S3 federated provider, you must have supplied one or more Amazon S3 locations for the Amazon S3 datasets that you want to search. See Define Amazon S3 federated provider details.

  • If you are using customer-created AWS Glue tables, in the Provider details step, you must have identified the AWS Glue database to which your AWS Glue tables belong.
  • If you are using SSE-KMS encryption to encrypt data in your Amazon S3 buckets or your AWS Glue Data Catalog, in the Provider details step, you must have listed the AWS KMS key ARNs for the encrypted items.

Steps

  1. On your Splunk Cloud Platform deployment, in Splunk Web, at the Update policies step of the Add a new Amazon S3 provider workflow, you'll see one or more generated AWS IAM policies.
    Copy and paste the body of each Amazon S3 bucket policy into your Amazon S3 account. See Update your Amazon S3 bucket policies.
    If multiple location paths reference the same Amazon S3 bucket, Splunk software creates only 1 bucket policy with each of the location paths included as values of the policy's Resource field.
  2. If Splunk software generates a Glue Data Catalog resource policy, copy and paste the body of the policy into your AWS Glue account. See Update your Glue Data Catalog resource policy.
  3. If Splunk software generates one or more AWS KMS key policies, copy and paste the bodies of the policies into the key policies for the affected AWS KMS keys. See Update your AWS KMS Key policies.
  4. Select Continue.
  5. Select Create provider to create your Amazon S3 federated provider.

Splunk software verifies whether your deployment has sufficient cross-account permissions to search Amazon S3 accounts.

Update your Amazon S3 bucket policies

Note: Updating your Amazon S3 bucket policies is part of the Update your AWS policies task.

Splunk software generates an Amazon S3 bucket policy for each Amazon S3 bucket you list in Amazon S3 locations on the Provider details page for your Amazon S3 federated provider. Update your Amazon S3 account with these generated Amazon S3 bucket policies. When an Amazon S3 bucket policy already exists for a particular bucket, append the statement portion of your Amazon S3 bucket policy to the statement portion of the existing Amazon S3 bucket policy.

  1. On the Update policies page, under the Generated policies sidebar, select an Amazon S3 bucket policy. You should find an Amazon S3 bucket policy for each Amazon S3 location that you have listed on the Provider details page.
  2. Select Copy policy for the Amazon S3 bucket policy to save a copy of the policy to your clipboard.
    Here is an example of an Amazon S3 bucket policy: 
    {
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Effect": "Allow",
        	"Principal": {
            	"AWS": [  "arn:aws:iam::<AWS-account-ID>:role/<stack-name>" ]
        	},
        	"Action": [
                         ​​"s3:GetBucketLocation", 
                         "s3:ListBucket", 
                         "s3:GetObject*" 
        	],
        	"Sid": "AllowSplunkAccessTo a-sample-aws-s3-bucket",
        	"Resource": [
            	"arn:aws:s3:::a-sample-aws-s3-bucket",
               "arn:aws:s3:::a-sample-aws-s3-bucket/a-table/*"]
    	}
    ]
}

    Note: Each Splunk Cloud Platform deployment is identified by its stack-name, which is the prefix of the deployment's URL. For example, if your deployment's URL is https://buttercupgames.splunkcloud.com, the stack-name is buttercupgames.
  3. After you copy the policy, go to the Amazon S3 console and navigate to the General purpose buckets page.
  4. Select the Name of the bucket for the policy you have copied.
  5. Select the Permissions tab for the bucket.
  6. Select Edit for the Bucket policy.
  7. If no bucket policy exists, paste your saved Amazon S3 bucket policy into the editing window and move on to Step 9.
  8. If a bucket policy exists, use the policy editor to combine the generated Amazon S3 bucket policy you have copied with the existing Amazon S3 bucket policy. The easiest way to do this is to append the statement portion of your generated policy to the existing policy statement. For more information, see Help with combining AWS IAM policies.
    Note: Resolve security warnings, errors, general warnings, and suggestions before you save your policy.
  9. Select Save changes to save your policy update.

Repeat these steps for each Amazon S3 bucket policy that is listed on the Update policies page.

For more information about updating Amazon S3 bucket policies, see Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide.

Update your Glue Data Catalog resource policy

Note: Updating your Glue Data Catalog resource policy is part of the Update your AWS policies task.

If you have customer-created AWS Glue tables and have therefore identified an AWS Glue database and AWS Glue tables for your Amazon S3 federated provider, Splunk software generates a Glue Data Catalog resource policy for you. Copy and paste this Glue Data Catalog resource policy into your AWS Glue account. If a Glue Data Catalog resource policy already exists, append the statement portion of your Glue Data Catalog resource policy to the statement portion of the existing Glue Data Catalog resource policy.

  1. On the Update policies page, under the Generated policies sidebar, select AWS Glue Data Catalog resource policy. The AWS Glue Data Catalog resource policy appears only if you have identified an AWS Glue Data Catalog on the Provider details page.
  2. Select Copy policy for the Glue Data Catalog resource policy to save a copy of the policy to your clipboard.
    Here is an example of a Glue Data Catalog resource policy: 
    {
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Sid": "AllowSplunkAccessToAWSGlueDataCatalog",
        	"Effect": "Allow",
        	"Principal": {
            	"AWS": [ "arn:aws:iam::<AWS-account-ID>:role/<stack-name>" ]
        	},
        	"Action": [​​
                         "glue:GetDatabase", 
                         "glue:GetDatabases", 
                         "glue:GetTables",
                         "glue:GetTable", 
                         "glue:GetPartitions", 
                         "glue:GetPartition", 
                         "glue:BatchGetPartition" 
        	],
        	"Resource": [
            	"arn:aws:glue:us-west-2:<AWS-account-ID>:catalog",
               "arn:aws:glue:us-west-2:<AWS-account-ID>:database/a_sample_db",
               "arn:aws:glue:us-west-2:<AWS-account-ID>:table/a_sample_db/a_table" ]
    	}
    ]
}

    Note: Each Splunk Cloud Platform deployment is identified by its stack-name, which is the prefix of the deployment's URL. For example, if your deployment's URL is https://buttercupgames.splunkcloud.com, the stack-name is buttercupgames.
  3. In the AWS Glue console, in the left-hand sidebar, select Data Catalog and then select Catalog settings.
  4. If the Permissions field is empty, paste your Glue Data Catalog resource policy into it and move on to Step 6.
  5. If a Glue Data Catalog resource policy already exists in the Permissions field, you must use the policy editor to combine the generated Glue Data Catalog resource policy you have copied with the existing Glue Data Catalog resource policy. The easiest way to do this is to append the statement portion of your generated policy to the existing policy statement. For more information, see Help with combining AWS IAM policies.
    Note: Resolve security warnings, errors, general warnings, and suggestions before you save your policy.
  6. Select Save to save the Glue Data Catalog resource policy update.

For more information about updating Glue Data Catalog resource policies, see Granting cross-account access in the AWS Glue User Guide.

Update your AWS KMS Key policies

Note: Updating your AWS KMS Key Policies is part of the Update your AWS policies task.

If you are using SSE-KMS encryption to encrypt data in your Amazon S3 buckets or your AWS Glue Data Catalog and you have filled out the AWS KMS key ARNs field for your Amazon S3 federated provider, when you select Generate Policy, Splunk software generates an AWS KMS key policy. To allow Splunk software to search your SSE-KMS-encrypted Amazon S3 data, copy and paste this AWS KMS key policy into the accounts for your AWS KMS keys. If an AWS KMS key policy already exists, append the statement portion of your AWS KMS policy to the statement portion of the existing AWS KMS key policy.

  1. Start by selecting Copy for the AWS KMS key policy to save a copy of the policy to your clipboard.
    Here is an example of a AWS KMS key policy: 
    {
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Sid": "AllowUseOfTheKey",
        	"Effect": "Allow",
        	"Principal": {
            	"AWS": [ "arn:aws:iam::<AWS-account-ID>:role/<stack-name>" ]
        	},
        	"Action": [​​
                         "kms:Decrypt"
        	],
        	"Resource": "*"
    	}
    ]
}

    Note: Each Splunk Cloud Platform deployment is identified by its stack-name, which is the prefix of the deployment's URL. For example, if your deployment's URL is https://buttercupgames.splunkcloud.com, the stack-name is buttercupgames.
  2. In the Amazon S3 console, navigate to the Buckets page.
  3. Select the Name of a bucket that corresponds to a listed AWS KMS key ARN.
  4. Select the Properties tab for the bucket.
  5. Select the Encryption key ARN in the Default encryption section to open the Key ID page for the key in the Key Management Service.
  6. In the Key policy section, select Edit.
  7. If no AWS KMS key policy exists, paste your saved AWS KMS key policy into the editing window and move on to Step 9.
  8. If an AWS KMS key policy exists, use the policy editor to combine the existing AWS KMS key policy with the AWS KMS key policy you have copied. The easiest way to do this is to append the statement portion of your generated policy to the existing policy statement. For more information, see Help with combining AWS IAM policies.

    Note: Resolve security warnings, errors, general warnings, and suggestions before you save your policy.
  9. Select Save changes to save the key policy update.

Repeat these steps for each AWS KMS key ARN that is listed on the Update policies page. For more information, see Changing a key policy in the AWS Key Management Service Developer Guide.

Help with combining AWS IAM policies

Use the AWS policy editor to combine generated AWS IAM policies with existing AWS AIM policies.

When you add generated AWS Identity and Access Management (IAM) policies such as Amazon S3 bucket policies, AWS Glue data catalog resource policies, and AWS KMS key policies to your AWS account for the purpose of setting up federated search of Amazon S3 datasets, you may find that AWS IAM policies already exist for the Amazon S3 buckets, Glue data catalog resources, and AWS KMS keys involved. When there is a preexisting policy, you must combine it with your generated policy.

The easiest way to combine a generated AWS IAM policy with a preexisting AWS IAM policy is to simply append the statement portion of your policy to the existing policy statement.

Append the statement of a generated policy to an existing policy statement

Append a generated IAM policy statement to an existing IAM policy statement

As part of the Update your AWS policies task, you must have done the following things.

  • You must have copied to your clipboard an Amazon S3 bucket policy, a Glue Data Catalog resource policy, or an AWS KMS key policy.

  • You must have opened the policy editor for the appropriate IAM policy type in either the Amazon S3 console or the AWS Glue console.

You can quickly combine a generated AWS IAM policy with an existing AWS IAM policy simply by appending the statement portion of your generated IAM policy to the existing IAM policy statement, separating statements with commas.

When you append a statement to other statements in an existing policy, you add just the statement portion of the policy, and not its Version or Statement header fields. The combined policy cannot include multiple header fields.

  1. In the AWS policy editor, find the curly brace that marks the end of the preexisting policy statement. It will be the third character from the end of the policy. It is always followed by a square bracket, and then a final curly brace.
  2. Place a comma after the curly brace that marks the end of the preexisting policy.
  3. After the comma, paste your saved AWS IAM policy. The policy will be added as a single unbroken string of text. The policy editor will register errors.
  4. To resolve the errors, start by removing this string from the beginning of the policy: {"Version":"<date>","Statement":[ .Then, remove these characters from the end of the policy: ]}. This should remove all critical errors.
    Note: After removing this text, if you see warnings of duplicate element contents, you can optionally resolve them by removing the duplicate items. Duplication of element contents won't prevent the updated AWS IAM policy from providing proper permissions and authentication.
  5. (Optional) Add line breaks to your statement so that it has the same formatting as other statements in the policy. Resolve any errors you might introduce while formatting the added statement.
  6. Select Save or Save changes.

Manually update deployment permissions

Note: This step is part of the Update your AWS policies task. Take this step only when you get an error message that asks you to manually update your deployment permissions.

Before you can run federated searches over an Amazon S3 account from your Splunk Cloud Platform deployment, Splunk software needs to set up cross-account permissions for your deployment. Without these permissions, you cannot run Amazon S3 federated searches.

Splunk software verifies whether your deployment has correct cross-account permissions whenever you attempt to create or update a federated provider. If it detects that your deployment has missing or incorrect cross-account permissions, it attempts to set them up. If that attempt fails, you can try to manually set the cross-account permissions by selecting the Update Amazon S3 permissions button.

There are two ways to access the Update Amazon S3 permissions button.

  • When you create or update a federated provider, Splunk software displays an error message with the Update Amazon S3 permissions button if its attempt to automatically set up cross-account permissions fails. Select the button to reattempt to set the permissions.
  • At any time you can access the button from the Federated Providers tab, which you can get to by selecting Settings, then Federated Search. Select Update Amazon S3 permissions to open a dialog box that contains the Update Amazon S3 permissions button.

If you select Update Amazon S3 permissions and your permissions are not restored, contact your Splunk Support representative.