Cloud Distribution Point using S3 - IAM restrictions

It seems as though the cloud distribution point also uses AWS's CloudFront CDN (sweet). I would still like to be able to reduce the exposure that this account has to our AWS instance. Has anyone done this successfully?

I'm seeing similar behavior - the distribution point setup seems to want to create a bucket (?? - I was hoping to set up a pre-created one with appropriate permissions for the IAM user).

Did you find out what permissions the IAM user needs? Also, what is the bucket name that gets created?

(Guess the safest option would be to create a secondary AWS account for casper's S3 plots - I really don't feel comfortable giving anything CreateBucket/DeleteBucket permissions on an account with existing S3 buckets)

Anyone have ANY information on this? I have permission to create buckets and it's still failing.

OK, I finally got it! In addition to the S3 permissions (I granted all perms on buckets named jamf*, see the attached policy docs), you also need CloudFront permissions. I'm not sure I'm super pleased by how wide the access is, and I'll experiment some more, but in the meantime here's what let me add an AWS master file distribution point:

(This is currently what we use to tighten down access during cloud distribution point creation; when the S3 bucket has been created, we substitute the "arn:aws:s3:::jamf" for ```
[ "arn:aws:s3:::jamf<concrete hex string>", "arn:aws:s3:::jamf<concrete hex string>/" ]
```)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1406324790001",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::jamf*"
      ]
    },
    {
      "Sid": "Stmt1406330427000",
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateCloudFrontOriginAccessIdentity",
        "cloudfront:CreateDistribution",
        "cloudfront:CreateInvalidation",
        "cloudfront:CreateStreamingDistribution",
        "cloudfront:GetCloudFrontOriginAccessIdentity",
        "cloudfront:GetCloudFrontOriginAccessIdentityConfig",
        "cloudfront:GetDistribution",
        "cloudfront:GetDistributionConfig",
        "cloudfront:GetInvalidation",
        "cloudfront:GetStreamingDistribution",
        "cloudfront:GetStreamingDistributionConfig",
        "cloudfront:ListCloudFrontOriginAccessIdentities",
        "cloudfront:ListDistributions",
        "cloudfront:ListInvalidations",
        "cloudfront:ListStreamingDistributions",
        "cloudfront:UpdateCloudFrontOriginAccessIdentity",
        "cloudfront:UpdateDistribution",
        "cloudfront:UpdateStreamingDistribution"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Good call on the CloudFront!

hi, i am just trying this for the first time today, and was pointed to this thread by my AM.

I pretty much give all the rights(e3 and cloudfront) under the IAM console to a user i called "casper", even cut and paste the above code into a custom policy, still no luck.

keep on getting the "Unable to create distribution for this bucket" error after i enter my key.

in amazon's console, i can see a folder / bucket called jamfxxxxxxx being created every time i click "save" on JSS, but the error message is still there...
any ideas?

We too are seeing the issue @dyyuan is. What is unexpected to me is there is no logging in the JSS log. Do we need to enable verbose logging?

For anyone else in the future:
Found another thread mentioning a defect when using a Java newer than 8u45. Installed that version of the JDK and all was well.