Filebeat Cisco Umbrella module

Hi, I am trying to configure filebeat to get logs from Cisco Umbrella but something don't work.

The logs are in a bucket Cisco managed.

If I try to list the bucket I am successful, with:

/usr/local/bin/aws s3 ls s3://umbrella-managed-<MyCompanyID>-<idKey>

is authenticated and work flawlessy.

If I configure the umbrella filebeat module in this way:

          `umbrella:
            enabled: true

            var.input: s3
            # AWS SQS queue url
            var.queue_url: https://sqs.eu-south-1.amazonaws.com/2395044/
            # Access ID to authenticate with the S3 input
            var.access_key_id: <myKeyID>
            # Access key to authenticate with the S3 input
            var.secret_access_key: <mySecretAccessKey>
            # The duration that the received messages are hidden from ReceiveMessage request
            #var.visibility_timeout: 300s
            # Maximum duration before AWS API request will be interrupted
            #var.api_timeout: 120s`

I get a bunch of errors:

2020-11-26T19:00:25.335+0100 ERROR [input.s3] s3/collector.go:107 SQS ReceiveMessageRequest failed: InvalidClientTokenId: The security token included in the request is invalid.

I think I am missing the CiscoQueue, where can I find this queue ?

Thank you

I stumbled upon the same problem and the only solution I came up with was to use my own S3 bucket with SQS notifications enabled. It seems to me that the buckets managed by Cisco do not have SQS notifications enabled.