The administrator's guide is not very clear about authentication when using a cloud distribution point. We would like to use AWS as our distribution point but it doesn't appear that there is any authentication to prevent someone from downloading all of your packages if they know the address of the AWS bucket. Does the Casper agent on the end user's machine use the credentials specified in the JSS to access the AWS bucket? If that's the case then you're handing R/W access to all of the end user machines which is a huge security risk. There should be a separate R/O set of credentials used by the Casper agents to download packages from AWS.
Question
AWS cloud distribution point authentication
+12
+12*bump*
Can anyone elaborate on this? Any real world experience would be appreciated.
+1*bump*
I have noticed this as well. The system creates a URL which allows anyone to download (over HTTP) any packages you distribute. This could be a potential security issue for a variety of reasons.
Someone can easily download your base image and brute force your admin user password, or download scripts with binding information related to your directory...
+5The documentation does list "None" under "Authentication options" in the comparison grid for the different types of distribution points. That said, it would be nice to see documentation on how to configure this, for example in configuring IAM roles. I guess this should be in a feature request...
+5It's also documented that Cloud and JDS DPs keep scripts in the database rather than the DP's filesystem. Still, authentication to secure access to packages would probably be important to many users.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.