Exporting AWS WAF Logs to Splunk via S3

Here are detailed steps for sharing an S3 bucket between two AWS accounts for the purpose of configuring AWS WAF logs sending to Splunk

Step 1: Create an S3 bucket in Account B (the account where you want the logs to be stored)

1. Sign in to the AWS Management Console in Account B.

2. Navigate to the S3 service and click on 'Create bucket'.

3. Provide a unique name for your bucket and select a region.

4. Keep all the default configurations and create the bucket.

Step 2: Allow the AWS WAF in Account A to put objects into the S3 bucket in Account B

1. Navigate to your newly created S3 bucket.

2. Click on the 'Permissions' tab.

3. Click on 'Bucket Policy'. Here, you will define a policy to allow AWS WAF in Account A to put objects (logs) into this bucket.

4. Add a policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPutObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountA-ID:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::your-bucket-name/*"
        }
    ]
}

Replace AccountA-ID with the ID of Account A and your-bucket-name with the name of your newly created bucket. This policy allows the root user in Account A to put objects into this bucket.

Step 3: Configure Cross-Account Access in AWS WAF

1. Log into Account A (where AWS WAF is located).

2. Navigate to AWS WAF & Shield section.

3. Choose the WAF "WebACLs" you want to log from.

4. Go to the "Logging" tab and click on "Add association".

5. In the field for the S3 bucket, provide the ARN of the S3 bucket that you created in Account B (should be something like arn:aws:s3:::your-bucket-name).

6. Choose the format of logs and save the settings.

Step 4: Set Up Splunk to Read Logs from the S3 Bucket in Account B

Now you have to set up Splunk to read the logs from the S3 bucket. You can do this with the Splunk Add-on for Amazon Web Services.

1. Log into your Splunk instance.

2. Install the "Splunk Add-on for Amazon Web Services" from the Splunkbase.

3. After installation, go to "Configuration" in the AWS add-on.

4. Add a new AWS Account by providing the necessary details (Account Name, Key ID, Secret Key).

5. Now, navigate to the "Inputs" tab and create a new input for "S3".

6. Choose the name of the S3 bucket you set up for AWS WAF logging.

7. Set up the necessary configuration details such as the interval for log checking, source type, index, etc.

8. Click on "Add" to complete the configuration.

Now Splunk should start indexing logs from AWS WAF stored in the specified S3 bucket. You can create searches, alerts, and reports based on these logs in your Splunk instance.

Please remember that exporting data from AWS may incur additional costs depending on the volume of data and the chosen method of export. Always check the latest AWS pricing to understand the costs associated with your chosen approach.