Help

Replication to AWS appears successful but no objects show up in S3 bucket.

Go to solution
Reido
New Contributor II

Posted on ‎01-25-2023 11:39 AM

We just set up a cloud distribution point in AWS but no objects are replicating.  The S3 bucket was created successfully and JAMF Admin says replication successful.  It even showed the individual packages copying over the first time.  However, there are no items in the bucket so something is failing somewhere along the way.  

I did find this (https://ideas.jamf.com/ideas/JN-I-16521) that appears to have similar issues but a fix was implemented.  Still, the top comment is the only place I've seen the exact same problem listed.  Plus, while server side encyption is enforced on AWS side I have nothing in any policies regarding encryption like they did.  At this point, the only policy I have is the following test policy which is about as wide open as it gets:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFullS3JAMFBucketsOnly",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::jamf*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudfront:*"
],
"Resource": [
"*"
]
}
]
}

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
Reido
New Contributor II

Posted on ‎01-26-2023 12:27 PM

Apparently the above wasn't as wide open as I thought.  I've gotten it working now and will have to lock this down as I go.  Here's the new policy that works.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudfront:*",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:*:971265307348:job/*",
"arn:aws:s3:::*",
"arn:aws:s3-object-lambda:*:971265307348:accesspoint/*",
"arn:aws:s3:*:971265307348:accesspoint/*",
"arn:aws:s3:::*/*",
"arn:aws:s3::971265307348:accesspoint/*",
"arn:aws:s3:us-west-2:971265307348:async-request/mrap/*/*",
"arn:aws:s3:*:971265307348:storage-lens/*"
]
}
]
}

View solution in original post

0 Kudos
Reply
2 REPLIES 2

Go to solution
Reido
New Contributor II

Posted on ‎01-26-2023 12:26 PM

It's working now.  I guess my wide open policy above was not as wide open as I thought.  I'm totally new to AWS so it looks to me like these are more or less saying the same thing but apparently the first one was missing some permission it needed.  Here's what it looks like now.  I'll have to figure out to lock it down a little bit more as I go!

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudfront:*",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:*:971265307348:job/*",
"arn:aws:s3:::*",
"arn:aws:s3-object-lambda:*:971265307348:accesspoint/*",
"arn:aws:s3:*:971265307348:accesspoint/*",
"arn:aws:s3:::*/*",
"arn:aws:s3::971265307348:accesspoint/*",
"arn:aws:s3:us-west-2:971265307348:async-request/mrap/*/*",
"arn:aws:s3:*:971265307348:storage-lens/*"
]
}
]
}

0 Kudos
Reply

Go to solution
Reido
New Contributor II

Posted on ‎01-26-2023 12:27 PM

Apparently the above wasn't as wide open as I thought.  I've gotten it working now and will have to lock this down as I go.  Here's the new policy that works.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudfront:*",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:*:971265307348:job/*",
"arn:aws:s3:::*",
"arn:aws:s3-object-lambda:*:971265307348:accesspoint/*",
"arn:aws:s3:*:971265307348:accesspoint/*",
"arn:aws:s3:::*/*",
"arn:aws:s3::971265307348:accesspoint/*",
"arn:aws:s3:us-west-2:971265307348:async-request/mrap/*/*",
"arn:aws:s3:*:971265307348:storage-lens/*"
]
}
]
}

0 Kudos
Reply