Home > Amazon Web Services, Jamf Pro > S3 server side encryption not supported with Jamf Pro cloud distribution points

S3 server side encryption not supported with Jamf Pro cloud distribution points

As part of a project I’m working on, I needed to set up a cloud distribution point for a Jamf Pro server in Amazon Web Services. AWS -hosted cloud distribution points use a bucket in Amazon’s S3 service to store the files hosted by the distribution point. To help secure the S3 bucket, I enabled S3 server-side encryption. This encryption provides data at rest protection for files stored in a S3 bucket and is managed by Amazon’s S3 service.

Once that security was enabled, I was unable to then upload either installer .pkgs or .dmgs to the S3 bucket associated with the cloud distribution point using any of the following methods:

The unusual part was that the installer would look like it would upload and appear as a valid package when viewed from the Jamf Pro web console.

Screen Shot 2017 04 23 at 12 19 02 PM

Screen Shot 2017 04 23 at 12 19 23 PM

However, if I viewed the S3 bucket from the AWS console, the actual installer files would not be present in the S3 bucket.

Encrypted CDP S3 bucket

For more details, see below the jump.

To address this issue, I opened a support call with Jamf support. While working with Jamf, I discovered that if I removed the encryption policy options from the S3 bucket policy, I was able to upload to the S3 bucket again.

Uploads blocked with this policy applied:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::jamfd880e2e8b5774d2382ffde1009852f78/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::jamfd880e2e8b5774d2382ffde1009852f78/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        },
        {
            "Sid": " Grant a CloudFront Origin Identity access to support private content",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity AA9F007AA023464E"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::jamfd880e2e8b5774d2382ffde1009852f78/*"
        }
    ]
}

Uploads work with this policy applied:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": " Grant a CloudFront Origin Identity access to support private content",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity AA9F007AA023464E"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::jamfd880e2e8b5774d2382ffde1009852f78/*"
        }
    ]
}

With the encryption policy options removed, I confirmed that I could now upload to the cloud distribution point and have the files appear in the S3 bucket.

Not Encrypted CDP S3 bucket

The support engineer I worked with confirmed that Jamf does not support using S3 server-side encryption at this time and asked me to open a feature request. I’ve now opened a feature request, available via the link below:

https://www.jamf.com/jamf-nation/feature-requests/6016/support-requested-for-s3-server-side-encryption-for-jamf-pro-cloud-distribution-points-hosted-in-amazon-web-services

If you need to have S3 server side encryption enabled on your S3 buckets, please vote it up.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: