Enable Logging to a Cisco-managed S3 Bucket

You can set up Umbrella to log events to an Amazon S3 bucket which Cisco manages. We configure all Cisco-managed buckets to use Amazon Server-Side Encryption with S3-Managed Keys (SSE-S3, AES-256). The encryption and keys are managed by AWS, meaning Cisco and the customer don’t exchange keys, but the data is still encrypted at rest. More information can be found on the AWS website by searching for “SSE-S3, AES-256”.

Umbrella provides access to Cisco Managed S3 buckets using Amazon's Identity and Access Management (IAM) system. When the S3 bucket is provisioned, Umbrella provides the KEY and SECRET directly to you through the Umbrella Log Management UI. We do not store your keys during the generation process. If you lose your keys, you can not recover the keys. Instead, you must rotate the keys using the Umbrella Log Management UI.

The Cisco IAM user is able to write files to the S3 bucket, and the customer IAM user is able to read from the bucket. Customers are able to rotate their keys at any time.

Customer logs are also encrypted in transit between Cisco’s Log Management infrastructure and S3.

Table of Contents



  1. Navigate to Admin > Log Management and select Use a Cisco-managed Amazon S3 bucket.
  1. Select a Region and a Retention Duration.
  • Select a Region—Regional endpoints are important to minimize latency when downloading logs to your servers. The regions match those available in Amazon S3, however not all regions are available. For example, China is not listed.
    Pick the region that's closest to you from the dropdown. If you wish to change your region in the future, you will need to delete your current settings and start over.
  • Select a Retention Duration—Select 7, 14, or 30 days. Beyond the selected time period, all data will be purged and cannot be retrieved. We recommend a smaller time period if your ingestion cycle is regular. The retention duration can be changed at any time.
  1. Click Save and then Continue to confirm your settings.

Umbrella activates its ability to export to an AWS S3 account. When activation is complete, the Amazon S3 Summary page appears.

700 700
  1. Copy credentials from this page and store them in a safe place. This is the only time that the Access and Secret keys are made available to you. These keys are required to access your S3 bucket and download logs. If you lose these keys they must be regenerated.
  2. Once keys are copied and safe, check Got it and then click Continue.
    Note: Continue is unavailable until you check Got it.

Enable Logging of HTTPS Query Parameters

Once activated, you can optionally enable logging of the full HTTPS request, including the query parameters, to your S3 Bucket. This allows you to view the HTTPS query section of a URL, which is not visible within the Umbrella reporting dashboard due to potentially personal or sensitive user information. Visibility into the query parameters of individual search requests can allow you to flag problematic queries for intervention and ensure the security of your users.

Note: HTTPS Query parameters may contain personal or sensitive content. Manage logged data appropriately.

  1. Navigate to Admin > Log Management.
  2. To enable logging HTTPS query parameters to an S3 Bucket, click on the toggle button next to Log HTTPS Query.
  1. A pop-up window, appears. Read the message, check the checkbox, and click Agree.

S3 Bucket Data Path

The Umbrella Amazon S3 Summary page provides the Data Path to your Amazon bucket. An Umbrella data path contains the following path fields:

<AWS S3 bucket name>-<AWS region>/<AWS S3 bucket directory prefix>
  • AWS S3 bucket name and AWS region—the name of the AWS S3 bucket managed by Cisco (cisco-managed), a dash (-), and the AWS region.
  • AWS S3 bucket directory prefix—the directory prefix (customer folder name) to the Cisco-managed AWS S3 bucket.

Sample S3 Bucket Data Path:


Use the data path to your Cisco-managed S3 bucket to:

  • Download log files with the AWS CLI.
  • Set up your AWS S3 bucket with the Cisco Cloud Security App for Splunk. The Cisco Cloud Security App for Splunk enables you to analyze your Umbrella logs found in your AWS S3 bucket. For more information, see Cisco Cloud Security App for Splunk.

Download Files From the S3 Bucket Locally

You can use the Amazon command-line interface (CLI) to download files from a Cisco-managed S3 bucket to your local directory.


You can run the AWS CLI to download your files from a Cisco-managed S3 bucket to your local directory. To run the AWS CLI command in test mode (without syncing files), use the --dryrun flag.

AWS CLI command syntax:

aws s3 sync s3://DATAPATH/ /path/to/local/directory/

Note: You must append a forward slash (/) to the DATAPATH.

Detailed sample command:

aws s3 sync s3://cisco-managed-us-west-1/2069997_6ff2802af17337def701c2e7816cf14913zf848a/ /opt/splunk/etc/apps/TA-cisco_umbrella/data/

Best Practices: Download Files From the S3 Bucket

  • When you download files from a Cisco-managed S3 bucket, ensure that you only download one copy of each log file. If you download log files multiple times, Cisco reserves the right to suspend the download of logs from a Cisco-managed S3 bucket (through the rotation of keys or other methods).
  • When you delete downloaded files from the local directory, be sure to delete only files that are older than the Retention Duration value configured in the Umbrella dashboard. Otherwise, the next sync command will download the deleted files again.

Enable Logging to Your Own S3 Bucket < Enable Logging to a Cisco-managed S3 Bucket > Change the Location of Event Data Logs