Cisco Umbrella S3 Bucket Key Rotation API, Overview

S3 Bucket Key Rotation

The Cisco Umbrella S3 Bucket Key Rotation API enables you to refresh the key for an organization's Cisco-managed S3 bucket. You can find the Umbrella S3 Bucket Key Rotation API endpoint under the admin scope.

Overview

• Best Practices: Rotating a Cisco-Managed S3 Bucket Key
• General Availability: S3 Bucket Key Rotation API
• Rate Limits for Admin API Endpoints
• Request Headers
• Umbrella S3 Bucket Key Rotation API Endpoints

Best Practices: Rotating a Cisco-Managed S3 Bucket Key

Note: For the first key rotation, you must refresh the Cisco-managed S3 bucket key manually.

Beginning on May 15, 2025, Umbrella requires that an organization with a Cisco-managed S3 bucket rotate the IAM key credentials on their S3 bucket every 90 days.

Rotating IAM keys every 90 days only applies to Cisco-managed S3 buckets not self-managed S3 buckets. If your organization is unable to rotate the IAM keys on their Cisco-managed S3 bucket, we recommend that the organization uses a self-managed Amazon S3 bucket.

Note: If the IAM keys on a Cisco-managed S3 bucket are not rotated within 90 days from when the keys were last rotated, the organization will lose access to the Cisco-managed S3 bucket. Umbrella continues to log events to the Cisco-managed S3 bucket, but the S3 bucket is not accessible.

General Availability: S3 Bucket Key Rotation API

The Umbrella S3 Bucket Key Rotation API is generally available. Umbrella plans to rollout the S3 Bucket Key Rotation API during May 2025 to all organizations.

If the Umbrella S3 Bucket Key Rotation API is not enabled in your organization, you can not use the API to refresh the key credentials for the organization's Cisco-managed S3 bucket. Umbrella responds with an error condition, for example:

{
    "timestamp": "2025-05-15T04:51:11",
    "status": 200,
    "error": "Not found IAM key info for orgId: 1234567",
    "path": "/iam/rotate-key"
}

Rate Limits for Admin API Endpoints

Umbrella enables rate limits on the S3 Bucket Key Rotation API. For more information, see Rate Limits > Admin.

Request Headers

Unless specified, the Umbrella API endpoints use JSON for all requests and responses.

Note: For POST, PUT, and PATCH operations, set the HTTP Content-Type header to application/json in your API request.

Umbrella S3 Bucket Key Rotation API Endpoints

• Refresh S3 Bucket Key