In the following article, we'll walk you through creating an IAM for Splunk-SOAR from an ova file using Amazon Web Services

Create a IAM user

  • Login in to the aws account
  • Go to service and select S3,  go to create bucket and give it a unique name
  • Select closest region and let all the options be default and hit ‘create bucket’
  • Once the bucket is created, hit ‘Upload’ button, go to ‘File’ and upload your .ova file on the S3 bucket.
  • Click on the users
  • Click on Add user
  • Give User name* and allow Programmatic Access*  in Access type* and click on Next*
  • Click on Attach existing policies directly*
  • under filter policies* search for ami* and check on * ami-import-policy
  • Skip the next step of adding tags
  • Review the user and create it
  • Copy the key and secret for the user and save it separately

Install AWS-cli on your host machine

  • Install aws-cli
  • Install python virtual env (optional) but python needs to be installed on the machine
  • Configure you aws-cli
  • type aws configure and add the access key id and secret that has been copied while creating IAM user (two steps above)

Create three file as below

  • trust-policy.json
  • role-policy.json
  • containers.json
  • The content of the three files is pasted at the end of this document
  • Create trust-policy.json with the command below
  • aws iam create-role --role-name vmimportphantom1 --assume-role-policy-document "file:///home/kj/Metron/Phantom/trust-policy.json"
  • In the above command vmimportphantom1 is the name you are assigning to the policy
  • Put role-policy.json with the command below
  • aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file:///home/kj/Metron/Phantom/role-policy.json"
  • Run the container.json to convert the ova file to AMI
  • aws ec2 import-image --description "Phantom" --disk-containers file:///home/kj/Metron/Phantom/containers.json
  • Check the status of the conversion
  • It should show completed in the statusMessage

Create Instance from AMI

  • Login in to you EC2 account
  • Navigate AMI
  • And select the AMI that is created
  • Navigate to Action button
  • Launch the instance
  • After launching you will be redirected to Choose Instance Type* to create the instance with the AMI
  • Select c5x.large with 4 procs and 8 GB RAM
  • Configure your instance
  • ** Select a spot instance if you are going to use this installation for internal use for clients donot check the spot instance
  • Add Storage
  • Add Tags
  • Select Security and existing Security Group
  • ** to later access the instance modify/edit the Inbound Rules* of the security group, change the ssh and https entry to My IP*
  • Review and launch
  • After the instance is launched, Navigate to instances and check you instance
  • Open the public IP in the browser and the Splunk-Phantom UI will open
  • Login in to it to access Splunk SOAR (Phantom)