Replication to AWS appears successful but no objects show up in S3 bucket.

Reido
New Contributor II

We just set up a cloud distribution point in AWS but no objects are replicating.  The S3 bucket was created successfully and JAMF Admin says replication successful.  It even showed the individual packages copying over the first time.  However, there are no items in the bucket so something is failing somewhere along the way.  

I did find this (https://ideas.jamf.com/ideas/JN-I-16521) that appears to have similar issues but a fix was implemented.  Still, the top comment is the only place I've seen the exact same problem listed.  Plus, while server side encyption is enforced on AWS side I have nothing in any policies regarding encryption like they did.  At this point, the only policy I have is the following test policy which is about as wide open as it gets:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFullS3JAMFBucketsOnly",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::jamf*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudfront:*"
],
"Resource": [
"*"
]
}
]
}

1 ACCEPTED SOLUTION

Reido
New Contributor II

Apparently the above wasn't as wide open as I thought.  I've gotten it working now and will have to lock this down as I go.  Here's the new policy that works.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudfront:*",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:*:971265307348:job/*",
"arn:aws:s3:::*",
"arn:aws:s3-object-lambda:*:971265307348:accesspoint/*",
"arn:aws:s3:*:971265307348:accesspoint/*",
"arn:aws:s3:::*/*",
"arn:aws:s3::971265307348:accesspoint/*",
"arn:aws:s3:us-west-2:971265307348:async-request/mrap/*/*",
"arn:aws:s3:*:971265307348:storage-lens/*"
]
}
]
}

View solution in original post

2 REPLIES 2

Reido
New Contributor II

It's working now.  I guess my wide open policy above was not as wide open as I thought.  I'm totally new to AWS so it looks to me like these are more or less saying the same thing but apparently the first one was missing some permission it needed.  Here's what it looks like now.  I'll have to figure out to lock it down a little bit more as I go!

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudfront:*",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:*:971265307348:job/*",
"arn:aws:s3:::*",
"arn:aws:s3-object-lambda:*:971265307348:accesspoint/*",
"arn:aws:s3:*:971265307348:accesspoint/*",
"arn:aws:s3:::*/*",
"arn:aws:s3::971265307348:accesspoint/*",
"arn:aws:s3:us-west-2:971265307348:async-request/mrap/*/*",
"arn:aws:s3:*:971265307348:storage-lens/*"
]
}
]
}

Reido
New Contributor II

Apparently the above wasn't as wide open as I thought.  I've gotten it working now and will have to lock this down as I go.  Here's the new policy that works.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudfront:*",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:*:971265307348:job/*",
"arn:aws:s3:::*",
"arn:aws:s3-object-lambda:*:971265307348:accesspoint/*",
"arn:aws:s3:*:971265307348:accesspoint/*",
"arn:aws:s3:::*/*",
"arn:aws:s3::971265307348:accesspoint/*",
"arn:aws:s3:us-west-2:971265307348:async-request/mrap/*/*",
"arn:aws:s3:*:971265307348:storage-lens/*"
]
}
]
}