Easily Automate Across Your AWS Environments with Splunk Phantom

Security Matt Sayar
When running Splunk Phantom with AWS services, it can be tricky to make sure Splunk Phantom has the right access. When you’re managing multiple AWS accounts, the effort to configure Splunk Phantom’s access to every account can feel insurmountable. Fortunately, Amazon has the Security Token Service to solve this problem with temporary credentials, so we’ve integrated it with Splunk Phantom!

Temporary credentials are great, because you allow a user to access AWS resources without the overhead of creating an account, embedding credentials, or worrying about revoking or expiring them.

Using Splunk Phantom’s new AWS Security Token Service integration, we’re able to take advantage of the AssumeRole capability. You’ve diligently set up the roles you need to manage your AWS environment, so now let’s leverage that effort in Splunk Phantom.

How to AssumeRole in Splunk Phantom

So how do we actually do this in Splunk Phantom? From a high level, it’s a two-step process starting with the AWS Security Token Service integration. You’ll use it to AssumeRole with a specified Amazon Resource Name (ARN), then pass the credentials it returns to your AWS app, like S3 or Lambda.

Let’s walk through a simple example together.

Step 1

In your playbook, you’ll start with the AWS Security Token Service integration and its assume role action.

Step 2

The role_arn parameter is configured in AWS and is the ID of the role you want to assume. You can type the ARN directly, or supply it from the result of a previous action.

Step 3

At this point, we have the Credentials for the ARN we specified as the output of our assume role action, and now we can supply that output in another AWS integration’s Credentials field. In this example, we’re trying to list buckets in AWS S3.

And we’re done! The credentials will expire on their own, and you can get a fresh set whenever you need it.

Currently, we support AssumeRole functionality with the AWS Security Token Service in the following apps:

Look for the rest of our AWS integrations to include this functionality this summer!

Examples

Want to try out using the STS Token Service yourself? Head over to our open-source repository and download an example playbook!

We focused on using the apps within Splunk Phantom today, but in the video below Tony Cihak does a fantastic job of showcasing the process from beginning to end with a simple example that includes some setup on the AWS side as well. In addition, he demonstrates using a role tied to an EC2 instance that you’re running Splunk Phantom on.

/en_us/blog/fragments/the-essential-guide-to-soar
Style
two-column

Related Articles

AppLocker Rules as Defense Evasion: Complete Analysis
Security
24 Minute Read

AppLocker Rules as Defense Evasion: Complete Analysis

The Splunk Threat Research Team analyzes 'Azorult loader' (a payload that imports its own AppLocker rules) to understand the tactics and techniques that may help defend against these types of threats.
Introducing the World’s First Modern Cloud-Based SecOps Platform: Splunk Security Cloud
Security
3 Minute Read

Introducing the World’s First Modern Cloud-Based SecOps Platform: Splunk Security Cloud

Announcing the new Splunk Security Cloud – the only data-centric modern security operations platform that delivers enterprise-grade advanced security analytics, automated security operations, and threat intelligence with an open, unparalleled ecosystem.
Picture Paints a Thousand Codes: Dissecting Image-Based Steganography in a .NET (Quasar) RAT Loader
Security
13 Minute Read

Picture Paints a Thousand Codes: Dissecting Image-Based Steganography in a .NET (Quasar) RAT Loader

Uncover how to identify malicious executable loaders that use steganography to deliver payloads such as Quasar RAT.
/en_us/blog/fragments/about-splunk
/en_us/blog/fragments/subscribe-footer