Enable Logging to a Cisco-Managed S3 Bucket
You can configure Cisco Secure Access to log events to an Amazon S3 bucket, which is managed by Cisco.
Cisco configures all Cisco-managed buckets to use Amazon Server-Side Encryption with S3-Managed Keys (SSE-S3, AES-256). The encryption and keys are managed by Amazon. Cisco and the Secure Access user account (customer) don't exchange keys, but the data is still encrypted at rest. More information about S3 buckets and encryption is available on the Amazon website by searching for "SSE-S3, AES-256”.
Secure Access provides access to Cisco-managed S3 buckets using Amazon's IAM system. When the S3 bucket is provisioned, Secure Access provides the S3 bucket's key and secret in the Admin > Log Management page. You must copy your S3 bucket key credentials to your environment. Secure Access does not store your keys during the generation process. If you lose your keys, you can not recover them. Instead, you must rotate the keys in Secure Access.
A Cisco user account can write files to the S3 bucket, and the customer IAM user can read from the S3 bucket. A customer IAM user can rotate their keys at any time.
Note: Customer logs are also encrypted in transit between Cisco's log management infrastructure and Amazon S3.