AWS S3 Splunk CII Integration_orig

2025.08.27

Overview

To establish an integration between Splunk and Cisco Identity Intelligence, please refer to the setup guide section in this document. This integration method utilizes the Splunk Add-on for AWS to ingest log data from your AWS S3 bucket. This method is frequently employed for batch processing of historical or high-volume log data. It requires setting up AWS credentials and the accurate specification of the SQS queue region and URL.

Prerequisites

Before you begin, please ensure you have the following:

  1. Administrative access to your Cisco Identity Intelligence

  2. Administrative access to your Splunk Enterprise or Splunk Cloud

  3. The Cisco Security Cloud application installed from Splunkbase

  4. The Splunk Add-on for AWS application installed from Splunkbase

  5. Appropriate permissions to manage AWS S3 buckets and Splunk data inputs

Setup Guide

  1. Create an S3 Bucket

    1. Go to the Amazon S3 console

    2. Click Create bucket

    3. Provide a name for the bucket, such as โ€œsplunk-cii-demo-set-up"for this example

    4. Click Create bucket to complete the process

  1. Create an IAM Policy

    1. Navigate to IAM > Policies > Create Policy

b. Select JSON in the policy editor and paste the following JSON, where you will Replace ${BUCKET_NAME} with a name of your choosing, such as splunk-cii-set-up

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::${BUCKET_NAME}/*"
        }
    ]
}

Last updated