Enable Logging to a Cisco-managed S3 Bucket

You can configure Secure Access to log events to an Amazon S3 bucket that Cisco manages. Cisco configures all Cisco-managed buckets to use Amazon Server-Side Encryption with S3-Managed Keys (SSE-S3, AES-256). The encryption and keys are managed by AWS, meaning Cisco and the customer don’t exchange keys, but the data is still encrypted at rest. More information can be found on the AWS website by searching for “SSE-S3, AES-256”.

Secure Access provides access to Cisco Managed S3 buckets using Amazon's IAM system. When the S3 bucket is provisioned, Secure Access provides the KEY and SECRET directly to you through the Secure Access Log Management UI. Secure Access does not store your keys during the generation process. If you lose your keys, you can not recover them. Instead, you must rotate the keys using the Secure Access Log Management UI.

The Cisco IAM user can write files to the S3 bucket, and the customer IAM user can read from the bucket. Customers can rotate their keys at any time.

Customer logs are also encrypted in transit between Cisco’s Log Management infrastructure and S3.

Table of Contents

Prerequisites

Procedure

  1. Navigate to Admin > Log Management and in the Amazon S3 area select Use a Cisco-managed Amazon S3 bucket.
978
  1. Select a Region and a Retention Duration.
975
  • Select a Region—Regional endpoints are important to minimize latency when downloading logs to your servers. The regions match those available in Amazon S3; however, not all regions are available. For example, China is not listed.
    Pick a region that is closest to you. If you wish to change your region in the future, you will need to delete your current settings and start over.
  • Select a Retention Duration—Select 7, 14, or 30 days. Beyond the selected time period, all data will be purged and cannot be retrieved. We recommend a smaller time period if your ingestion cycle is regular. The retention duration can be changed at any time.
  1. Click Save and then Continue to confirm your settings.
700

Secure Access activates its ability to export to an AWS S3 account. When activation is complete, the Amazon S3 Summary page appears.

700 700
  1. Copy credentials from this page and store them in a safe place. This is the only time that the Access and Secret keys are made available to you. These keys are required to access your S3 bucket and download logs. If you lose these keys, they must be regenerated.
  2. Once keys are copied and safe, select Got it and then click Continue.
    Note: Continue is unavailable until you check Got it.
973

S3 Bucket Data Path

The Secure Access Amazon S3 Summary page provides the Data Path to your Amazon bucket. A Secure Access data path contains the following path fields:

<AWS S3 bucket name>-<AWS region>/<AWS S3 bucket directory prefix>
  1. AWS S3 bucket name and AWS region—the name of the AWS S3 bucket managed by Cisco (cisco-managed), a dash (-), and the AWS region.
  2. AWS S3 bucket directory prefix—the directory prefix (customer folder name) to the Cisco-managed AWS S3 bucket.

Sample S3 Bucket Data Path:

cisco-managed-us-west-1/2069997_6ff2802af17337def701c2e7816cf14913zf848a

Use the data path to your Cisco-managed S3 bucket to:

  • Download log files with the AWS CLI.
  • Set up your AWS S3 bucket with the Cisco Cloud Security App for Splunk. The Cisco Cloud Security App for Splunk enables you to analyze your Umbrella logs found in your AWS S3 bucket. For more information, see Cisco Cloud Security App for Splunk.

Download Files From the S3 Bucket Locally

You can use the Amazon command-line interface (CLI) to download files from a Cisco-managed S3 bucket to your local directory.

Prerequisites

Run the AWS CLI to download your files from a Cisco-managed S3 bucket to your local directory. To run the AWS CLI command in test mode (without syncing files), use the --dryrun flag.

AWS CLI command syntax:

aws s3 sync s3://DATAPATH/ /path/to/local/directory/

Note: You must append a forward slash (/) to the DATAPATH.

Detailed sample command:

aws s3 sync s3://cisco-managed-us-west-1/2069997_6ff2802af17337def701c2e7816cf14913zf848a/ /opt/splunk/etc/apps/TA-cisco_umbrella/data/

Best Practices: Download Files From the S3 Bucket

  • When you download files from a Cisco-managed S3 bucket, ensure that you only download one copy of each log file. If you download log files multiple times, Cisco reserves the right to suspend the download of logs from a Cisco-managed S3 bucket (through the rotation of keys or other methods).
  • When you delete downloaded files from the local directory, only delete files that are older than the Retention Duration value configured in Secure Access. Otherwise, the next sync command will download the deleted files again.

Enable Logging to Your Own S3 Bucket < Enable Logging to a Cisco-managed S3 Bucket > Change the Location of Event Data Logs