Cisco Secure Access S3 Bucket Key Rotation API, Overview

S3 Bucket Key Rotation

The Cisco Secure Access S3 Bucket Key Rotation API enables you to refresh the key for an organization's Cisco-managed S3 bucket. You can find the Secure Access S3 Bucket Key Rotation API endpoint under the admin scope.

Overview

Best Practices: Rotating a Cisco-Managed S3 Bucket Key
General Availability: S3 Bucket Key Rotation API
Rate Limits for S3 Bucket Key Rotation
Request Headers
S3 Bucket Key Rotation API Endpoints

Best Practices: Rotating a Cisco-Managed S3 Bucket Key

Note: For the first key rotation, you must refresh the Cisco-managed S3 bucket key manually. For more information, Enable Logging to a Cisco-Managed S3 Bucket.

Secure Access requires that an organization with a Cisco-managed S3 bucket rotate the IAM key credentials on their S3 bucket every 90 days.

Rotating IAM keys every 90 days only applies to Cisco-managed S3 buckets not self-managed S3 buckets. If your organization is unable to rotate the IAM keys on their Cisco-managed S3 bucket, we recommend that the organization uses a self-managed Amazon S3 bucket.

Note: If the IAM keys on a Cisco-managed S3 bucket are not rotated within 90 days from when the keys were last rotated, the organization will lose access to the Cisco-managed S3 bucket. Secure Access continues to log events to the Cisco-managed S3 bucket, but the S3 bucket is not accessible.

General Availability: S3 Bucket Key Rotation API

The Secure Access S3 Bucket Key Rotation API is generally available (GA).

If the Secure Access S3 Bucket Key Rotation API is not enabled in your organization, you can not use the API to refresh the key credentials for the organization's Cisco-managed S3 bucket. Secure Access responds with an error condition, for example:

{
    "timestamp": "2025-05-15T04:51:11",
    "status": 200,
    "error": "Not found IAM key info for orgId: 1234567",
    "path": "/iam/rotate-key"
}

Rate Limits for S3 Bucket Key Rotation

Secure Access enables rate limits on the S3 Bucket Key Rotation API. For more information, see Rate Limits > Admin.

Request Headers

Unless specified, the Secure Access API endpoints use JSON for all requests and responses.

Note: For POST, PUT, and PATCH operations, set the HTTP Content-Type header to application/json in your API request.

S3 Bucket Key Rotation API Endpoints

Refresh S3 Bucket Key

Version: 1.0.0
Contact: Cloud Security Developer Community

Download OpenAPI Document