S3 server side encryption not supported with Jamf Pro cloud distribution points

As part of a project I’m working on, I needed to set up a cloud distribution point for a Jamf Pro server in Amazon Web Services. AWS -hosted cloud distribution points use a bucket in Amazon’s S3 service to store the files hosted by the distribution point. To help secure the S3 bucket, I enabled S3 server-side encryption. This encryption provides data at rest protection for files stored in a S3 bucket and is managed by Amazon’s S3 service.

Once that security was enabled, I was unable to then upload either installer .pkgs or .dmgs to the S3 bucket associated with the cloud distribution point using any of the following methods:

• Web console package upload
• Casper Admin
• AutoPkg using JSSImporter

The unusual part was that the installer would look like it would upload and appear as a valid package when viewed from the Jamf Pro web console.

However, if I viewed the S3 bucket from the AWS console, the actual installer files would not be present in the S3 bucket.

For more details, see below the jump.

To address this issue, I opened a support call with Jamf support. While working with Jamf, I discovered that if I removed the encryption policy options from the S3 bucket policy, I was able to upload to the S3 bucket again.

Uploads blocked with this policy applied:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::jamfd880e2e8b5774d2382ffde1009852f78/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::jamfd880e2e8b5774d2382ffde1009852f78/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        },
        {
            "Sid": " Grant a CloudFront Origin Identity access to support private content",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity AA9F007AA023464E"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::jamfd880e2e8b5774d2382ffde1009852f78/*"
        }
    ]
}

Uploads work with this policy applied:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": " Grant a CloudFront Origin Identity access to support private content",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity AA9F007AA023464E"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::jamfd880e2e8b5774d2382ffde1009852f78/*"
        }
    ]
}

With the encryption policy options removed, I confirmed that I could now upload to the cloud distribution point and have the files appear in the S3 bucket.

The support engineer I worked with confirmed that Jamf does not support using S3 server-side encryption at this time and asked me to open a feature request. I’ve now opened a feature request, available via the link below:

https://www.jamf.com/jamf-nation/feature-requests/6016/support-requested-for-s3-server-side-encryption-for-jamf-pro-cloud-distribution-points-hosted-in-amazon-web-services

If you need to have S3 server side encryption enabled on your S3 buckets, please vote it up.