Integrating Amazon Web Services (AWS) with Jamf Pro

This article explains how to integrate Amazon Web Services (AWS) with Jamf Pro.

The procedure involves the following steps:

  1. Setting Up AWS
  2. Configuring AWS as a Distribution Point in Jamf Pro

General Requirements

To integrate AWS with Jamf Pro, you need:

  • A fully trusted SSL certificate in Jamf Pro
  • An AWS account with Amazon S3 and CloudFront enabled

For more information on how to sign up for Amazon S3, see the following documentation from Amazon: Prerequisite: Setting up Amazon S3

For more information on how to set up Amazon CloudFront, see the following documentation from Amazon: What is Amazon CloudFront?

Step 1: Setting Up AWS

Before integrating AWS with Jamf Pro, you must set up AWS first. To set up AWS, you must have an administrator Identity and Access Management (IAM) user that is part of an administrator group. For more information, see the following documentation from Amazon: Creating your first IAM admin user and group

Next, you must create an IAM policy for the user that Jamf Pro will use to integrate with AWS. The IAM user must have certain permissions configured to allow Jamf Pro to access to your AWS account. Amazon recommends that you add the IAM user to a group and attach the policy with the permissions to the group instead of the user.

For more information on how to add permissions to users and groups, see the "Adding permissions by adding the user to a group" section of the following documentation from Amazon: Changing permissions for an IAM user

  1. Create the policy:
    1. Log in to the AWS console, and navigate to the IAM section.
    2. In the IAM section, click Policies.
    3. Click Create Policy.
    4. Click the JSON tab.
    5. Delete any existing content, copy the following JSON data, and then paste it into the field. It is recommended that you give Jamf Pro the following permissions at a minimum:
      {
      "Version": "2012-10-17",
      "Statement": [
      {
        "Sid": "Stmt1469138951137",
        "Action": [
          "s3:AbortMultipartUpload",
          "s3:GetBucketLocation",
          "s3:GetBucketWebsite",
          "s3:ListBucket",
          "s3:ListBucketMultipartUploads",
          "s3:ListMultipartUploadParts"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::<bucketName>"
      },
      {
        "Sid": "Stmt1469138986272",
        "Action": [
          "s3:DeleteObject",
          "s3:GetObject",
          "s3:PutObject"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::<bucketName>/"
      },
      {
        "Sid": "Stmt1469224800815",
        "Action": [
          "cloudfront:CreateCloudFrontOriginAccessIdentity",
          "cloudfront:CreateDistribution"
        ],
        "Effect": "Allow",
        "Resource": "*"
      },
      {
        "Sid": "Stmt1469224870473",
        "Action": [
          "s3:CreateBucket"
        ],
        "Effect": "Allow",
        "Resource": "*"
      },
      {
        "Sid": "ManageBucketPolicy",
        "Effect": "Allow",
        "Action": "s3:PutBucketPolicy",
        "Resource": "arn:aws:s3:::jamf"
      }
      ]
      }
      Note:

      Permissions for CloudFront and s3:CreateBucket are only required for the initial setup of the cloud distribution point. Once the S3 bucket has been created, these privileges can be removed from the policy.

    6. Click Next: Tags.
    7. Add IAM tags.
    8. Click Next: Review.
    9. Enter a name for the new policy and add an optional description.
    10. Click Create Policy.
  2. Create a new IAM user and attach the new policy:
    1. In the IAM section, click Users, and then click Add user.
    2. Enter a name for the new user.
    3. Select Programmatic Access, and then click Next: Permissions.
    4. Click Attach existing policies directly, and search for the policy that you previously created.
    5. Click Next: Tags.
    6. Add IAM tags.
    7. Click Next: Review.
    8. Review the data and click Create user.
    9. Click Download .csv to download the user's data for configuration in Jamf Pro as described below.
      Note:

      By default, Jamf Pro creates its own bucket in AWS, and the location of the bucket is set to North America (Virginia). The bucket name will start with "jamf" followed by a string of randomized letters and numbers.

Step 2: Configuring AWS as a Distribution Point in Jamf Pro

After setting up AWS, you can configure AWS as a cloud distribution point in Jamf Pro.

  1. Enter the access key ID and the secret access key from the IAM user you created in AWS in the Access Key ID and Secret Access Key fields in Jamf Pro.
  2. After creating the cloud distribution point, it is recommended that you test the connection to the content delivery network.

Additional Information

 

For more information on how to configure and test a cloud distribution point, see Cloud Distribution Point in the Jamf Pro Administrator's Guide.