Cisco-managed s3 buckets not working with Umbrella integration - prepending s3 causing connectivity issues

[ethhack]

Error message received when trying to configure the Umbrella integration with a Cisco-managed s3 bucket:

Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket: exceeded maximum number of attempts, 3, request send failed, Get "https://s3.cisco-managed-us-east-2.s3.amazonaws.com/cisco-managed-us-east-2?location=": x509: certificate is valid for *.s3.amazonaws.com, s3.amazonaws.com, not s3.cisco-managed-us-east-2.s3.amazonaws.com

Testing with s3 tools, if I remove the s3 at the beginning of the URL, connections work (so change from https://s3.cisco-managed... to https://cisco-managed). If I flip the switch to convert from s3 to s3-fips, that url changes in that spot, so the integration IS adding the s3 / s3-fips, and just need the ability to NOT have it in the URL, so we can pull our logs properly.

[francescayeye]

hello @ethhack

Please post all questions and issues on https://discuss.elastic.co/c/observability/logs
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.

Please include configurations, agent and package versions and logs if available.

For confirmed bugs, please report: agent version, package, package version, discuss forum URL, steps to reproduce

[legoguy1000]

@ethhack what is ur config? it sounds like you're setting the endpoint option which you don't need to in ur case. You should just set the bucket ARN and prefix if using a Cisco managed bucket. The agent will handle all the API calls to the appropriate API endpoints based on teh bucket ARN u provide.

[ethhack]

I’ll have to check on it on Monday. I’m out for the rest of the evening / weekend. I did pass your message over to a teammate, so if I hear of good / bad, sooner, I’ll let you know.

I did have it bared down pretty much, but in the event I still had something set that shouldn’t be…

Thanks.

[ethhack]

I have ONLY the Bucket ARN (arn:aws:s3:::cisco-managed-us-east-2) and Bucket List Prefix defined (have tried with and without trailing forward slash, as seen in another bug report, here), along with the Access Key ID and Secret Access Key. I'm getting an error:

Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket: AccessDenied: Access Denied status code: 403

[ethhack]

I seem to have gotten it working, but ONLY because I went back into Umbrella and forced the logs to cisco-managed-us-east-1, with a bucket prefix of just the bucket name, without leading or trailing forward slashes.

If I use ANY other cisco-managed region, it still tries to force us-east-1 and fails out.

In the end, mine now works, but only specifically set that way, and as such, something is still quirky with how the integration is behaving.

Thanks again, @legoguy1000, for the chat, both here and over email. Gave me some sanity checks until I worked this through.