Multiple options exist to move Splunk to the cloud. This paper highlights security standards and administrative access capabilities and limitations of several options for Splunk in the cloud. The Infrastructure as a Service (IaaS) models of Amazon Web Services (AWS) GovCloud, Google Cloud Platform (GCP) and Microsoft Azure Government as well as the Software as a Service (SaaS) managed Splunk Cloud service offering in the AWS GovCloud are discussed.
The chart below describes the authorized Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) Impact Levels (IL) for several Cloud Service Provider (CSP) platforms available to support Splunk in the cloud.
Cloud Service Provider |
Service Type |
FedRAMP Impact Level |
DoD CC SRG Impact Level |
Supported Splunk Version |
Storage of Personally Identifiable Information (PII) (minimum IL4) |
Storage of Personal Health Information (PHI) (minimum IL4) |
AWS GovCloud |
IaaS PaaS |
High |
2, 4, 5 |
All |
Yes |
Yes |
Google Cloud |
IaaS PaaS |
High |
2, 4 (beta) |
All |
Yes (in limited beta regions) |
Yes (in limited beta regions) |
Microsoft Azure Government |
IaaS PaaS |
High |
2, 4, 5 |
All |
Yes |
Yes |
Splunk Cloud (in AWS GovCloud) |
SaaS |
Moderate |
2 |
Depends on FedRAMP accreditation; currently v7.2.9 |
No (DoD CC SRG 3.2.4) |
No (DoD CC SRG 3.2.4) |
AWS GovCloud and Microsoft Azure Government are approved at FedRAMP High and up to DoD CC SRG IL5. Already FedRAMP High and DoD CC SRG IL2 approved, GCP is in the approval process for IL4. Splunk Cloud is approved at FedRamp Moderate and DoD CC SRG IL2. IL2 is not approved for Controlled Unclassified Information (CUI), which includes PII and PHI, per the Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3, 6 March 2017, Section 3.2.2. The minimum impact level for PII and PHI is IL4.
A difference between the IaaS options and the SaaS offering of Splunk Cloud is that in IaaS, the customer is responsible for all Splunk licensing, maintenance and administration while in Splunk Cloud the customer is responsible for the user accounts, policies and procedures involved with using the application. In IaaS, customer Splunk administrators have full access, and also full responsibility, for Splunk. In Splunk Cloud, the customer isn’t responsible for updating or maintaining the Splunk application in the cloud and customer Splunk administrators don’t have rights to the command line interface (CLI) or the underlying file system, but some Splunk components must still be maintained on-premise, depending on configuration.
Cloud Service Provider |
Customer Splunk Admin Access |
Customer Responsible for Splunk Maintenance |
Multi-tenant |
Customer Can Install/Update Locally Developed Apps |
Costs to Move Data out of Cloud |
AWS GovCloud |
Yes |
Yes |
Can deploy multi-instance, hierarchical Splunk model |
Yes |
Yes |
Google Cloud |
Yes |
Yes |
Can deploy multi-instance, hierarchical Splunk model |
Yes |
Yes |
Microsoft Azure Government |
Yes |
Yes |
Can deploy multi-instance, hierarchical Splunk model |
Yes |
Yes |
Splunk Cloud (in AWS GovCloud) |
No command line or file system access |
Only for components remaining on-premise |
No |
Yes, if app passes validation checks in AppInspect |
Yes |
Federal Risk and Authorization Management Program (FedRAMP) is a government program that provides a standard method for assessing security, authorization and continuous monitoring of cloud products/services. FedRAMP is based on NIST SP 800-53 Rev 4 security controls and includes additional controls specifically related to cloud computing.
FedRAMP defines Impact Levels as Low, Moderate and High based on the Confidentiality, Integrity and Availability of the system.
Low: Information for public release; data loss has little agency impact
Moderate: Data not available to the public, including Personally Identifiable Information (PII); data loss would have serious agency impact
High: Sensitive federal information, such as healthcare, emergency services and law enforcement data; data loss would have critical agency impact
The Department of Defense (DoD) publishes a Cloud Computing Security Requirements Guide (DoD CC SRG). FedRAMP Moderate equates to the minimum baseline for all DoD CC SRG Provisional Authorizations (PA). A summary of the DoD CC SRG Impact Levels are listed below.
IL2: Information for public release
IL4: Controlled Unclassified Information (CUI), including Privacy Information (including PII), PHI, For Official Use Only (FOUO) and others
IL5: CUI and National Security Systems (NSS), Mission Critical Information
IL6: SECRET classified information and below
The chart below summarizes impact levels and requirements.
IL2 allows foreign nationals to support the cloud products and services of a CSP. The use of foreign nationals is prohibited at IL4 and above.
IaaS differs from offering Software as a Service (SaaS). Using a CSP’s IaaS offering and bringing your own license (BYOL) means the customer bears all responsibility for configuration, administration and maintenance of applications loaded by the customer in the cloud while the cloud provider maintains the infrastructure. The customer is responsible for selecting virtual server types, installing, patching and upgrading application software, backups, user accounts, licensing and all other system maintenance and administration. In SaaS, the customer uses the application provided by the Cloud Service Provider (CSP), and the CSP manages everything else.
AWS GovCloud is authorized at FedRAMP High and is DoD SRG authorized at IL 2, 4 and 5. AWS provides a physically and logically isolated cloud environment specific to government customers called AWS GovCloud. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in a government community cloud.
In AWS, FedRAMP authorization is restricted to the AWS GovCloud region. It is not available in commercial AWS regions.
The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.
There is a cost associated with moving data out of AWS GovCloud, such as when copying data to the customer site.
GCP is authorized at a High Impact Level and is DoD CC SRG authorized at IL2 with IL4 in beta. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployed in a public cloud.
Unlike AWS GovCloud and Microsoft Azure Government, GCP doesn’t offer a separate cloud environment for government customers. GCP is not yet approved at DoD CC SRG IL4.
The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.
There is a cost associated with moving data out of Google Cloud, such as when copying data to the customer site.
Microsoft Azure Government is authorized at a High Impact Level and DoD CC SRG Levels 2, 4 and 5. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployed in a government community cloud.
The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.
There is a cost associated with moving data out of Microsoft Azure, such as when copying data to the customer site.
Splunk Cloud is a Software as a Service (SaaS) offering from Splunk that is available in the AWS GovCloud (US). It provides Splunk Enterprise as a cloud service.
Splunk Cloud is authorized at a FedRAMP Moderate Impact Level and DoD CC SRG IL2. The service model is Software as a Service (SaaS) deployed in the AWS GovCloud.
DOD CC SRG IL2 is for public or non-critical mission information. It is not authorized for CUI.
FedRAMP approval is tied to the specific software version. Currently, Splunk Cloud is only authorized for Splunk Enterprise version 7.2.9. No upgrades from that version are possible until a new FedRAMP approval is received.
Some on-premises Splunk components will require maintenance and administration, including the Universal Forwarders, Heavy Forwarders (if apps such as sa-ldapsearch, DBConnect, NetApp, or VMware are required, or for parsing data prior to ingest) and existing Deployment Servers. A hybrid search head will also be needed on-premise if there is a requirement to search both a Splunk Cloud and on-prem environments.
There is a cost associated with moving data out of Splunk Cloud, such as when copying data to the customer site.
Options to move Splunk to the cloud include the IaaS models of AWS GovCloud, GCP and Microsoft Azure as well as the SaaS model of Splunk Cloud. AWS GovCloud and Microsoft Azure have the highest authorized FedRAMP and Dod CC SRG Impact Levels (FedRAMP High and DoD CC SRG 2, 4, 5). Google Cloud is authorized FedRAMP High and DoD CC SRG IL 2, while Splunk Cloud is authorized at FedRAMP Moderate with DoD CC SRG IL2. IaaS models allow the greatest amount of flexibility in customer Splunk administration by allowing full customer administrator rights. The SaaS (Splunk Cloud) model allows the least amount of flexibility in customer Splunk administration by allowing the least amount of customer administration rights.
Amazon, AWS GovCloud (US) - Amazon Web Services
Amazon, AWS GovCloud (US) Compared to Standard AWS Regions - AWS GovCloud (US)
Amazon, Splunk Enterprise on the AWS Cloud
Department of Defense, DEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE Version 1, Release3
DHS, DHS Sensitive Systems Handbook 4300A v12.0
FedRAMP, Amazon AWS GovCloud
FedRAMP, Google Cloud Platform
FedRAMP, Microsoft - Azure Government (Includes Dynamics 365)
FedRAMP, Splunk - Splunk Cloud
Google, Impact Level 4 - Compliance
Gupta, Sandeep, New HIPAA and PCI-DSS Compliance Attestations for Splunk Cloud
Microsoft. US Department of Defense (DoD) Provisional Authorization - Microsoft Compliance
Rice, Ron. Cloud Computing Security Requirements Guide
Splunk, Public Sector | Industries | Solutions
Splunk, Splunk Cloud Security Addendum
Splunk, Splunk Cloud Service Details
Splunk, SPLUNK® AND AMAZON WEB SERVICES (AWS)
Wilmer, John W. III, Treatment of Personally Identifiable Information within Information Impact Level 2 Commercial Cloud Services for the Department of Defense
Yuen, Colin and Stevan Vidich, Microsoft Azure Compliance Offerings