AWS cloud distribution point authentication

tangerinehuge
New Contributor III

The administrator's guide is not very clear about authentication when using a cloud distribution point. We would like to use AWS as our distribution point but it doesn't appear that there is any authentication to prevent someone from downloading all of your packages if they know the address of the AWS bucket. Does the Casper agent on the end user's machine use the credentials specified in the JSS to access the AWS bucket? If that's the case then you're handing R/W access to all of the end user machines which is a huge security risk. There should be a separate R/O set of credentials used by the Casper agents to download packages from AWS.

5 REPLIES 5

jescala
Contributor II

*bump*

Can anyone elaborate on this? Any real world experience would be appreciated.

jbestine
New Contributor III

*bump*

Also looking into this as an option.

itadminTSC
New Contributor

*bump*
I have noticed this as well. The system creates a URL which allows anyone to download (over HTTP) any packages you distribute. This could be a potential security issue for a variety of reasons.

Someone can easily download your base image and brute force your admin user password, or download scripts with binding information related to your directory...

timsutton
Contributor

The documentation does list "None" under "Authentication options" in the comparison grid for the different types of distribution points. That said, it would be nice to see documentation on how to configure this, for example in configuring IAM roles. I guess this should be in a feature request...

timsutton
Contributor

It's also documented that Cloud and JDS DPs keep scripts in the database rather than the DP's filesystem. Still, authentication to secure access to packages would probably be important to many users.