By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM Policy Recommendations for Data Firehose to Splunk via Private Endpoint

0

I have a test environment in GovCloud (east) using Kinesis/Data Firehose and Splunk Enterprise (on-premise) where I'm trying to send AWS log data to Splunk as a destination. I have Firehose configured to use the http event collector (HEC) as a destination for Splunk and I'm also using a VPC Private Endpoint for the Firehose service. VPC connectivity between the Splunk endpoint and local VPC resources works fine, but I suspect Firehose isn't establishing a connection with the private endpoint and either the IAM policy for the Firehose stream or the VPC endpoint (or both) may be the issue.

AWS documentation is sparse in terms of the minimum IAM policy statements required for both Firehose streams and VPC endpoint. Does anyone have any guidance on how to configure roles/policies for basic functionality in this topology setting?

Topics
AnalyticsNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Data FirehoseAmazon VPCAWS Identity and Access Management
Language
English
prodigium
asked 9 months ago430 views
1 Answer
0

Hi check these steps to resolve issue Hope it helps You:

IAM Role Permissions: The Firehose delivery stream needs appropriate permissions to access the VPC endpoint and communicate with the HEC endpoint.

VPC Endpoint Policy: The VPC endpoint might have restrictions on inbound traffic, which could prevent Firehose from accessing the Splunk endpoint.

Potential Causes:

  • IAM Policy Issues: Firehose might not have the necessary permissions to access the VPC endpoint or perform actions required for HEC communication.
  • VPC Endpoint Configuration: The VPC endpoint might not be correctly configured to allow Firehose access.
  • Network Connectivity: There might be network issues preventing Firehose from reaching the Splunk endpoint, even within the VPC.

Review IAM Policy for Firehose

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "firehose:PutRecord",
                "firehose:PutRecordBatch",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeNetworkInterfaces"
            ],
            "Resource": "*"
        }
    ]
}

Follow the links for more:

profile picture
EXPERT
Sandeep
answered 9 months ago
  • prodigium
    9 months ago

    Hi Garre, appreciate your response and input!

    I can confirm there are no inbound/outbound restrictions for the VPC endpoint based on the security group settings. I did, however, revisit the policy requirements and Lambda assist function noted here: https://docs.aws.amazon.com/firehose/latest/dev/vpc.html. I'm not sure if the Lambda function is still required(?) but have it enabled anyway.

    Currently, the IAM policy for Firehose is the default one from when the stream was created and rather long. Is the IAM policy example you provided intended to replace that policy for use with any private VPC endpoint that is configured for Firehose or does a vpce ID need to be specified? If a specific vpce ID needs to be defined, I'm not sure how that would bind to a HEC endpoint since it has no associated arn.

  • Sandeep EXPERT
    9 months ago

    In your scenario, the Lambda function for data transformation is likely not required since you're sending data directly to Splunk using HEC. You can safely disable it if it's not being used.

    Review Firehose Logs:

    Examine the Firehose delivery stream logs for error messages. They might provide clues about the issue. You can access logs through the Firehose console or CloudWatch.

    HEC Token and Configuration: Double-check the HEC token and other configuration settings within Splunk to ensure they are correct.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content