Cloud Distribution Point using S3 - IAM restrictions

Fuge
New Contributor

Hello all,

Curious if anyone has successfully set up the cloud distribution point in S3 with account permissions that restrict the account to a single bucket as opposed to giving the jss account blanket access to all S3 buckets. Does the distro point use resources other than S3 (I dont think it does). Also curious if someone can point me in the direction of some documentation about cloud distribution points in S3, I'm new and can't seem to find anything more than a blurb (maybe a page) on setup.

8 REPLIES 8

Fuge
New Contributor

It seems as though the cloud distribution point also uses AWS's CloudFront CDN (sweet). I would still like to be able to reduce the exposure that this account has to our AWS instance. Has anyone done this successfully?

asf-stripe
New Contributor

I'm seeing similar behavior - the distribution point setup seems to want to create a bucket (?? - I was hoping to set up a pre-created one with appropriate permissions for the IAM user).

Did you find out what permissions the IAM user needs? Also, what is the bucket name that gets created?

(Guess the safest option would be to create a secondary AWS account for casper's S3 plots - I really don't feel comfortable giving anything CreateBucket/DeleteBucket permissions on an account with existing S3 buckets)

justinmeader
New Contributor

Anyone have ANY information on this? I have permission to create buckets and it's still failing.

asf-stripe
New Contributor

OK, I finally got it! In addition to the S3 permissions (I granted all perms on buckets named jamf*, see the attached policy docs), you also need CloudFront permissions. I'm not sure I'm super pleased by how wide the access is, and I'll experiment some more, but in the meantime here's what let me add an AWS master file distribution point:

(This is currently what we use to tighten down access during cloud distribution point creation; when the S3 bucket has been created, we substitute the "arn:aws:s3:::jamf" for ```
[ "arn:aws:s3:::jamf<concrete hex string>", "arn:aws:s3:::jamf<concrete hex string>/
" ]
```)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1406324790001",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::jamf*"
      ]
    },
    {
      "Sid": "Stmt1406330427000",
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateCloudFrontOriginAccessIdentity",
        "cloudfront:CreateDistribution",
        "cloudfront:CreateInvalidation",
        "cloudfront:CreateStreamingDistribution",
        "cloudfront:GetCloudFrontOriginAccessIdentity",
        "cloudfront:GetCloudFrontOriginAccessIdentityConfig",
        "cloudfront:GetDistribution",
        "cloudfront:GetDistributionConfig",
        "cloudfront:GetInvalidation",
        "cloudfront:GetStreamingDistribution",
        "cloudfront:GetStreamingDistributionConfig",
        "cloudfront:ListCloudFrontOriginAccessIdentities",
        "cloudfront:ListDistributions",
        "cloudfront:ListInvalidations",
        "cloudfront:ListStreamingDistributions",
        "cloudfront:UpdateCloudFrontOriginAccessIdentity",
        "cloudfront:UpdateDistribution",
        "cloudfront:UpdateStreamingDistribution"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

jlang_remedy
New Contributor III

Good call on the CloudFront!

dyyuan
New Contributor

hi, i am just trying this for the first time today, and was pointed to this thread by my AM.

I pretty much give all the rights(e3 and cloudfront) under the IAM console to a user i called "casper", even cut and paste the above code into a custom policy, still no luck.

keep on getting the "Unable to create distribution for this bucket" error after i enter my key.

in amazon's console, i can see a folder / bucket called jamfxxxxxxx being created every time i click "save" on JSS, but the error message is still there...
any ideas?

powellbc
Contributor II

We too are seeing the issue @dyyuan is. What is unexpected to me is there is no logging in the JSS log. Do we need to enable verbose logging?

thedanielmatt
New Contributor III

For anyone else in the future:
Found another thread mentioning a defect when using a Java newer than 8u45. Installed that version of the JDK and all was well.