Create input for AWS Organizations

You can use Data Manager to onboard AWS Organizations and collect data from 1 or multiple regions. New AWS accounts in onboarded organization units (OUs) are automatically included, while data collection stops for accounts leaving the OUs, eliminating additional setup. The onboarding flow consists of setting up prerequisites (including IAM roles), creating an input configuration on the app and deploying the AWS CloudFormation templates in the customer AWS accounts.

To create AWS Organizations input, perform the following tasks:

Select AWS Organizations.
Perform the prerequisite steps.
Input AWS data information.
Establish resources on your AWS account.

Supported data source types

You can use the following data source types to create inputs:


AWS Security and AWS Metadata	Amazon CloudWatch Logs
AWS CloudTrail AWS Security Hub Amazon GuardDuty IAM Access Analyzer IAM Credential Report Metadata	Amazon API Gateway AWS CloudHSM Amazon Document DB Amazon Elastic Kubernetes Service (Amazon EKS) AWS Lambda Amazon Relational Database Service (Amazon RDS)

Role permissions

You have to create different roles for different types of AWS accounts.

Deploy the SplunkDMReadOnlyRoleForOrgAdmin role in the control account.
Deploy the SplunkDMReadOnlyRoleForOrgMember role in all data accounts.

For more information about the roles, see Configure AWS for onboarding from organizational units.

Select AWS Organizations

From Data Manager, select New Data Input.
Select Amazon Web Services and then Next.
Select AWS data sources. For AWS Organizations you can select AWS Security and AWS Metadata and Amazon CloudWatch Logs.
Select data sources that you want to use.
Scroll down and select AWS Organizations.
Select Next. The Prerequisites page opens.

Perform the prerequisite steps

The prerequisites page walks you through the steps for onboarding AWS organizations.

Enable all features in your AWS organization.For more information, see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html.
Enable trusted access with AWS Organizations. Do this in the AWS management account.For more information, see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html.
Choose a control account.For more information, see Choose a control account.
Create the SplunkDMReadOnlyRoleForOrgAdmin role in the control account. Follow the steps in the Create the SplunkDMReadOnlyRoleForOrgAdmin role in the control account task.
Create the SplunkDMReadOnlyRoleForOrgMember role in all data accounts.
1. Select AWS CloudFormation Template to download a template. You need to use this template in the AWS account.
2. Go to your AWS account and follow the steps in the Create the SplunkDMReadOnlyRoleForOrgMember role in organizational units task.
Verify that any onboarded accounts within the Organizational Units or Organization do not have any existing inputs for the same input type. If you are onboarding any account within OU, make sure it doesn't conflict with the single input already configured for the same input type in Data Manager.
Prepare data sources for ingestion according to the following information and select Next.
- If you use AWS CloudTrail as a data source, make sure that your CloudTrail is configured to send its data to an Amazon CloudWatch log group for the accounts and regions that you select. See https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html.
- If you use AWS Security Hub or Amazon GuardDuty, make sure that your Security Hub or GuardDuty is enabled for the accounts and regions that you select. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html and https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html.
- If you use AWS Identity and Access Management (IAM) Access Analyzer, make sure that your AWS Identity and Access Management (IAM) Access Analyzer is enabled for the accounts and regions that you select. See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling.The Input AWS Data Information page opens.

Input AWS data information

After going through the prerequisite steps in Data Manager, you can enter information about AWS data from your organizational units that you want to ingest into Data Manager.

In the Input AWS Data Information page, enter a data input name.
Enter a single AWS Control Account ID.When you enter this ID, the prerequisites are checked.
- If provided information is valid, the notification is displayed confirming that the check is successful and the Select organizational units button is active, as shown in the following image:
- If provided information isn't valid, the error message is displayed describing what is missing. Provide the missing information.
Select Select organizational unit. The Onboarding organizational units page opens.
The AWS Organization tree is displayed. Select any OUs for which you want to onboard the data.When you select OU with children, all children OUs are also selected and data is collected from them.
Select Save. The number of the selected OUs is displayed.
From the Choose AWS Control Account Region drop-down list, select a region.
In the Selected Data Sources select destination for data source.
In the Select IAM Roles Region section, select a region from the drop-down list.
In Select Regions, select data regions.
Select Review Data Input.
On the Review Data Input page, review the data and select Next.
On the Setup Data Ingestion page, download the CloudFormation StackSet template by selecting Data Ingestion Template. You need to use it in the next steps to set up data formation deployment for this particular input.
Select Review Finished Setup and Monitor Data Input.

The Data Management page opens. It displays details about data input. Now you can establish resources on your AWS account.

Establish resources on your AWS account

After adding data input to Data Manager, you can establish resources on your AWS account. You can use AWS CLI or AWS Console.

On the Data Management page, go to the AWS Setup Details tab.
Go to the Choose a Method to Run the Template on Your Accounts and Regions section and select either AWS CLI or AWS Console. It depends which method you prefer.
Follow the steps listed in the selected tab to configure the CloudFormation StackSet.
After you perform the steps listed in the tab, go to the Data Management page and select the Data Input Details tab. In the Data Source Ingestion Details section you can check if the data started flowing into the destination index in aws-org.
To check the data, go to Splunk Cloud Platform and select the Search & Reporting app on the left. In New Search, enter index=aws-org.

On the Data Management page, you can check if data is collected.

Documentation