We configure all Cisco-managed buckets to use Amazon Server-Side Encryption with S3-Managed Keys (SSE-S3, AES-256). The encryption and keys are managed by AWS, meaning Cisco and the customer don’t exchange keys, but the data is still encrypted at rest. More information can be found on the AWS website by searching for “SSE-S3, AES-256.”
Access is provided to Cisco Managed S3 buckets using Amazon's IAM system. When the bucket is provisioned we provide the KEY and SECRET directly to the customer via the Umbrella Log Management UI, we do not store the customer keys even during the generation process. If a customer loses their keys there is no way to recover the keys, they will need to rotate the keys using the Umbrella Log Management UI.
The Cisco IAM user is able to write files to the S3 bucket, and the customer IAM user is able to read from the bucket. Customers are able to rotate their keys at any time.
Customer logs are also encrypted in transit between Cisco’s Log Management infrastructure and S3.
- Full administrative access to Cisco Umbrella.
- Navigate to Admin > Log Management and select Use a Cisco-managed Amazon S3 bucket.
- Select a Region and a Retention Duration.
- Select a Region—Regional endpoints are important to minimize latency when downloading logs to your servers. The regions match those available in Amazon S3, however not all regions are available. For example, China is not listed.
Pick the region that's closest to you from the dropdown. If you wish to change your region in the future, you will need to delete your current settings and start over.
- Select a Retention Duration—Select 7, 14, or 30 days. Beyond the selected time period, all data will be purged and cannot be retrieved. We recommend a smaller time period if your ingestion cycle is regular. The retention duration can be changed at any time.
- Click Save and then Continue to confirm your settings.
Umbrella activates its ability to export to an AWS S3 account. When activation is complete, the Amazon S3 Summary page appears.
- Copy credentials from this page and store them in a safe place. This is the only time that the Access and Secret keys are made available to you. These keys are required to access your S3 bucket and download logs. If you lose these keys they must be regenerated.
- Once keys are copied and safe, check Got it and then click Continue.
Note: Continue is unavailable until you check Got it.
When logging to a Cisco-managed S3 bucket is enabled, the download of files from that bucket must be configured so each log file is downloaded only once. Cisco reserves the right to suspend the downloading of logs from a Cisco-managed S3 bucket (through the rotation of keys or other methods) if log files are downloaded multiple times instead of once.
To download files from a Cisco-managed S3 bucket to your local directory, enter a command like the following:
aws s3 sync s3://DATAPATH /path/to/local/directory/
Detailed sample command:
aws s3 sync s3://cisco-managed-us-west-1/2069997_6ff2802af17337def701c2e7816cf14913zf848a /opt/splunk/etc/apps/TA-cisco_umbrella/data/
Note: The AWS command-line interface must be installed.
To run the command in test mode (without syncing files), use the
Note: When deleting downloaded files from the local directory, be sure to delete only files that are older than the Retention Duration value configured in the Umbrella dashboard. Otherwise, the next sync command will download the deleted files again.
Updated 3 months ago