All Apps and Add-ons

How to configure Splunk to use a KMS key to decrypt s3 logs via the Splunk Add-on for AWS?

Glasses
Builder

I was able to successfully read logs from an s3 bucket, with Splunk using AWS add-on configured with an account with a KeyID and Secret Key.

Recently the logs were encrypted via KMS. Now the logs are coming in garbled - because splunk cannot decrpyt.

I am unable to find clear documentation/steps to install the KMS key for splunk to decrypt the logs.

Any direction appreciated.

Thank you!

dbarrpsu
Explorer

The IAM user/group or role you're using for collection needs permissions to decrypt using the key, specifically the "kms:Decrypt" action. This can be scoped to just the KMS key used on the bucket you're collecting from. An example policy document:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "kms:Decrypt",
        "Resource": "ARN-OF-KMS-KEY"
      }
    ]
}
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...