In the following article, we'll walk you through creating an IAM for Splunk-SOAR from an ova file using Amazon Web Services
Create a IAM user
- Login in to the aws account
- Go to service and select S3, go to create bucket and give it a unique name
- Select closest region and let all the options be default and hit ‘create bucket’
- Once the bucket is created, hit ‘Upload’ button, go to ‘File’ and upload your .ova file on the S3 bucket.

- Click on the
users

- Click on
Add user

- Give User name* and allow Programmatic Access* in Access type* and click on Next*

- Click on Attach existing policies directly*
- under filter policies* search for ami* and check on * ami-import-policy
- Skip the next step of adding tags

- Review the user and create it

- Copy the key and secret for the user and save it separately

Install AWS-cli on your host machine
- Install aws-cli
- Install python virtual env (optional) but python needs to be installed on the machine

- Configure you aws-cli
- type
aws configure
and add the access key id and secret that has been copied while creating IAM user (two steps above)
Create three file as below
- trust-policy.json
- role-policy.json
- containers.json
- The content of the three files is pasted at the end of this document

- Create trust-policy.json with the command below
aws iam create-role --role-name vmimportphantom1 --assume-role-policy-document "file:///home/kj/Metron/Phantom/trust-policy.json"
- In the above command
vmimportphantom1
is the name you are assigning to the policy

- Put role-policy.json with the command below
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file:///home/kj/Metron/Phantom/role-policy.json"

- Run the container.json to convert the ova file to AMI
aws ec2 import-image --description "Phantom" --disk-containers file:///home/kj/Metron/Phantom/containers.json

- Check the status of the conversion
- It should show completed in the
statusMessage
Create Instance from AMI
- Login in to you EC2 account
- Navigate AMI
- And select the AMI that is created

- Navigate to
Action
button - Launch the instance

- After launching you will be redirected to Choose Instance Type* to create the instance with the AMI
- Select c5x.large with 4 procs and 8 GB RAM

- Configure your instance
- ** Select a spot instance if you are going to use this installation for internal use for clients donot check the spot instance

- Add Storage

- Add Tags

- Select Security and existing Security Group
- ** to later access the instance modify/edit the Inbound Rules* of the security group, change the ssh and https entry to My IP*
- Review and launch

- After the instance is launched, Navigate to instances and check you instance
- Open the public IP in the browser and the Splunk-Phantom UI will open
- Login in to it to access Splunk SOAR (Phantom)