"The AWS access key you provided does not exist on our records" error with log streaming not sending any Cloud SWG logs upstream
Article ID: 373628
Updated On:
Products
Issue/Introduction
Log streaming enabled on Cloud SWG Portal into an AWS S3 bucket for proxy, audit and malware logs on three seperate channels.
All log entries are visible in Splunk since the log streaming was enabled, which ingests the data from the AWS S3 bucket.
Without any Cloud SWG changes, Splunk no longer sees any logs for any channel after after 16:39 UTC as shown below:
The Cloud SWG reporting portal does show events generated for this timescale.
Broadcom status page has no updates indicating any issues.
Environment
Cloud SWG.
AWS S3 cloud bucket.
Log streaming/Kafka enabled.
Cause
Back end AWS process now checks for credentials over 90 days to check whether they have been rotated and deletes them if not.
Resolution
Make sure a process is put in place to update the Cloud SWG log streaming credentials when the keys have been rotated or deleted.
Additional Information
When checking the event streaming within the Cloud SWG portal, the overall health was not showing as green:
Clicking the status message for more details indicated an issue with the token - and the "The AWS access key you provided does not exist on our records" 403 status error:
Double checking the credentials using the 'test' option in the log streaming channel confirmed the credentials had failed.
Feedback
