AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.
Guidance for onboarding data can be found in the Spunk Documentation:
- Getting Data In (Splunk Enterprise)
- Getting Data In (Splunk Cloud)
- Get data into Splunk Observability Cloud
Refer to the documentation, and note that for Splunk SOAR, the AWS IAM app supports various containment, corrective and investigate actions related to users, groups, roles, and policies.
When your Splunk deployment is ingesting AWS IAM data, you can use the data to achieve the following in Splunk Enterprise or Splunk Cloud Platform:
- Detecting AWS cross-account activity
- Monitoring AWS and AWS Elastic Compute Cloud (EC2) for suspicious login activities
- Detecting privilege escalation in your AWS environment
- Detecting AWS security hub alerts
With Splunk SOAR, you can use this data for: