Using Admin Config Service (ACS) in Splunk Cloud Platform FedRAMP environments

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Admin Config Service (ACS) is available to customers in FedRAMP Moderate/IL2 compliance environments in Splunk Cloud Platform version 9.0.2305.200.

ACS is a cloud-native API that provides programmatic self-service administration capabilities for Splunk Cloud Platform. Splunk Cloud Platform administrators can use the ACS API to perform common administrative tasks without assistance from Splunk Support.

With the ACS API, you can:

Configure IP allow lists
Configure outbound ports
Manage authentication tokens
Manage HTTP Event Collector (HEC) tokens
Manage indexes
Manage private apps and add-ons
Manage Splunkbase apps
Manage users, roles, and capabilities
Enable private connectivity
View maintenance windows

Private and Splunkbase app management is limited to the primary search head or primary search head cluster. Apps can still not be managed on a premium search head. You will need to continue to use Splunk Support to manage apps on these search head groups.

Many of the capabilities in the list above are configurable through the Splunk Cloud Platform user interface, but ACS also allows you to perform extra capabilities. For example, IP allow lists and outbound ports configurations will no longer require FedRAMP Splunk Cloud Platform customers to submit a support ticket.

In this article, we'll show how to use the ACS API to manage IP allow lists in Splunk Cloud Platform.

Splunk Cloud Platform prerequisites and token creation

While the ACS CLI is used in this example, the ACS REST API is also available in FedRAMP to support customers using a CI/CD management approach.
The ACS base URL in FedRAMP Moderate/IL2 environments is different from that used in commercial environments. You’ll need to use the following base URL for API calls: https://admin.splunkcloudgc.com/

Ensure that you, or the user listing and editing the allow list, have access to the necessary capabilities within their Splunk role. Note that the sc_admin role has this capability by default. You’ll need to ensure that the "acs_list_ip_allow_list" capability is enabled in order to list the environment IPs, and that the "edit_ip_allow_list" is enabled in order to update the allow list. A full matrix of capabilities needed for the ACS API is available at Splunk Docs.
Generate a JWT token to authenticate to the API. You can create these tokens through Splunk Web.
1. In Splunk Web, click Settings > Token > Enable Token Authentication > New Token.
2. Configure the new token using the guidance in Splunk Docs.
3. Copy/paste and save your token to a secure location such as a password manager. It will not be available again after closing this screen.

Configure the ACS CLI to access your stack and use the new token

ACS CLI support for FedRAMP Moderate/IL2 is available in ACS CLI v2.13.0. If you don't already have the ACS CLI installed, you can find instructions for installation at Splunk Docs.

Set an environment variable with your authentication token. In this example we're setting the token value through the command line. This has security implications, but it might be appropriate for smaller or test deployments, depending on your needs.
```
(Windows) >set STACK_TOKEN=eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTI...
(Linux)   >export STACK_TOKEN=eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTI…
```
Set an environment variable for the FedRAMP Moderate specific API endpoint. It’s also possible to use the --server flag for each command to override the commercial ACS endpoint (example: acs apps list --server https://admin.splunkcloudgc.com/).
```
(Windows) >set ACS_SERVER=https://admin.splunkcloudgc.com/
(Linux)   >export ACS_SERVER=https://admin.splunkcloudgc.com/
```
Configure ACS to use the desired Splunk Cloud Platform environment. Replace <mysplunkcloudstack> with your stack name. You can find your stack name within your domain name, e.g. https://mysplunkcloudstack.splunkcloud.com. After you've completed this step, ACS will be configured to authenticate to your Splunk Cloud Platform stack.
```
>acs setup <mysplunkcloudstack>
Stack added: cloud-architects, Type: victoria
current-stack is now set to <mysplunkcloudstack>
Token successfully cached to authenticate against ACS for further operations
Populating stack type...
```

Working with the ACS CLI

Use the built-in help command >acs ip-allowlist --help to identify the syntax necessary to audit the IP allow list.

>acs ip-allowlist --help
The IP allow list controls access to a particular Splunk Cloud Platform feature. When you run further operations, you must specify the <feature> argument, such as search-api, hec, s2s, and so on.
Note that the value of <feature> refers to a logical grouping of subnets that are granted access to a Splunk component.
The ACS API supports the following IP allow list use cases:
+--------------------------+------------+--------+-------------------------------------------------------------------------------------------------------+
| Use Case                 | Feature    | Port   | Description                                                                                           |
+--------------------------+------------+--------+-------------------------------------------------------------------------------------------------------+
| Search head API access   | search-api | 8089   | Grants access for customer subnets to Splunk search head api (applies to automated interfaces)        |
+--------------------------+------------+--------+-------------------------------------------------------------------------------------------------------+
| HEC access for ingestion | hec        | 443    | Allows customer's environment to send HTTP data to Splunk indexers.                                   |
+--------------------------+------------+--------+-------------------------------------------------------------------------------------------------------+
| Indexer ingestion        | s2s        | 9997   | Allows subnets that include UF or HF to send data to Splunk indexers.                                 |
+--------------------------+------------+--------+-------------------------------------------------------------------------------------------------------+
| SH UI access             | search-ui  | 80/443 | Grant explicit access to search head UI in regulated customer environments.                           |
+--------------------------+------------+--------+-------------------------------------------------------------------------------------------------------+
| IDM UI access            | idm-ui     | 443    | Grant explicit access to IDM UI in regulated customer environments.                                   |
+--------------------------+------------+--------+-------------------------------------------------------------------------------------------------------+
| IDM API                  | idm-api    | 8089   | Grant access for add-ons that require an API. (Allows add-ons to send data to Splunk Cloud Platform.) |
+--------------------------+------------+--------+-------------------------------------------------------------------------------------------------------+

To remove and add an IP from the IP allow list, use the describe command to review the allow list for the "search-ui" feature. The output is a json array of subnets.
```
>acs ip-allowlist describe search-ui
{
    "subnets": [
        "1.2.2.2/32",
        "1.2.3.4/32"
    ]
}
```

In this example, the 1.2.3.4/32 subnet should have been 1.2.3.5/32 and not 1.2.3.4/32 as being returned by ACS. To correct this, you’ll need to remove the 1.2.3.4/32 subnet and add the 1.2.3.5/32 subnet. Remove the 1.2.3.4/32 subnet using the following command.

>acs ip-allowlist delete search-api --subnets 1.2.3.4/32
IP allow list subnets deleted successfully.
To verify the status of your stack after subnet delete request, please run the "acs status current-stack" command.
{
    "warnings": [
        "IP allow list subnets creation request submitted successfully. Note that it can take several minutes for the subnet update to be applied to your Splunk Cloud Platform stack."
    ]
}

Confirm the subnet was removed with the describe command used previously.

>acs ip-allowlist describe search-api
{
    "subnets": [
        "1.2.2.2/32"
    ]
}

Add the 1.2.3.5/32 address to complete the update.

acs ip-allowlist create search-api --subnets 1.2.3.5/32
IP allow list subnets creation request submitted successfully for feature:search-api
Note that it can take several minutes for the subnet update to be applied to your Splunk Cloud Platform stack.
To verify the status of your stack after subnet update request, please run the "acs status current-stack" command.
{
    "warnings": [
        "IP allow list subnets creation request submitted successfully. Note that it can take several minutes for the subnet update to be applied to your Splunk Cloud Platform stack."
    ]
}

Finally, verify the subnet has been added.

>acs ip-allowlist describe search-api
{
    "subnets": [
        "1.2.2.2/32",
        "1.2.3.5/32"
    ]
}

Next steps

These resources might help you understand and implement this guidance:

Splunk Docs: Admin Config Service manual
Tech Talk: Start managing your deployment with Splunk Cloud’s Admin Configuration Service (ACS)