How to configure AWS S3 CloudFront for Cloud Distribution Point

New Contributor III

Steps to setup Cloud Distribution Point

Things to note starting out. You do not need to create the storage bucket or the CloudFront configuration. The JSS will create the bucket and assign the CloudFront to the bucket for you on saving the Cloud Distribution Point settings toward the end of this how to.

Step 1: Create your user
Go to IAM.
On the left side of your screen select Users
click on create user. This user account does NOT need console access.

Step 2: Creating your access keys
Select the user account just created and go to Security credentials.
Next Create new access key
Note Access Key ID and also the Secret Access Key (which is not available after completing the process)

Step 3: Creating your role
Go to Roles on the left side of IAM screen.
Create role
Under ASW service choose S3 then next: Permissions
In the policy type search and check the boxes for "AmazonS3FullAccess" and "CloudFrontFullAccess"
Click Next: Review
Provide a role named <JSS-DP-Role>

Step 4: Create your group
Go to Groups
Create new group
Group Name: <JSS-Accounts-Group>
Click Next: Step
In the policy type search and check the boxes for "AmazonS3FullAccess" and "CloudFrontFullAccess"
Click Next: Step
Click Create Group
Select <JSS-Accounts-Group> Group
Click add users to group
Select the user created above.

Step 5: Configuring Signed URL
Go to Your Security Credentials
Expand CloudFront key pares
Click on create new key pair
Download Private to be uploaded to the JSS and note the Access Key ID with the key pars. (Private key will not be available after completion.)

Step 6
After downloading the private key you will need to change the file type from txt to pem.
Login to the JSS and go to Cloud Distribution Point and choose Amazon Web Services.
Enter in the access key ID and secret that you collected from step 2 and click save. Now edit the Cloud Distribution Point and Check the box for require Signed URLs and upload the private cert that you downloaded from the CloudFront key pare creation along with the Access Key ID that was presented with it and plug that into the JSS. At this point you can now save.


New Contributor

There's a really great write up on this here:

New Contributor III

That is really good. Too bad I couldn't find it in searching how to do this. Between this link and what is above, future users shouldn't have any issue getting this thing rolling.

Valued Contributor II

Thanks! This was very helpful information. I had previously followed the steps in the write up mentioned by @kaci.weirich, so I was already setup. You provided the extra info that I needed.

New Contributor

I figured I'd post this in case anyone else is in the same boat as me. Per Amazon, the My Security Credentials is not available on federated accounts (see the tip here). Additionally, IAM users can't create CloudFront key pairs, and Amazon does not recommend using the root account to do this (as detailed here).

You can use openssl to generate a private/public keypair. This is well documented all over the Internet, but here's the short of it:
1. Generate a private key, providing an arbitrary password when prompted: openssl genrsa -des3 -out private.pem 2048
2. Export the public key from that private key, entering the password from the previous step when prompted: openssl rsa -in private.pem -outform PEM -pubout -out public.pem
3. Export the unencrypted private key: openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM

Once you have the public and unencrypted private keys, you can configure the public key/key group in AWS CloudFront, and upload the unencrypted private key to your CDP configuration in Jamf.

Contributor II

A general question about AWS Cloud DP with Jamf Pro:

Is it possible to use the same IAM user (access key) on more than one Jamf Pro (on premise) server? We have two separate Jamf Pro servers for 2 customers and would like to share the IAM user if possible.

I guess JSS will create automatically a S3 bucket when initializing the AWS DP. So maybe it will create a second S3 bucket for the second JSS, so these 2 buckets (DP) are not shared together. So it should be possible to use one IAM user/access key for more than one Jamf Server?