As part of setting up an AWS-hosted cloud distribution point for Jamf Pro, you will need to set up a user in AWS and get an access key and secret access key. I describe that process as part of an earlier post on how to set up an AWS-hosted cloud distribution point. However, many shop’s security policies mandate rotating AWS credentials on a regular basis. For those with requirements like this, please see below the jump for how to rotate these credentials for an AWS-hosted cloud distribution point.

The following procedure will walk you through the process of setting up a new AWS access key and secret access key which can be used to update the credentials used for an AWS-hosted cloud distribution point. This process assumes the following:

• A. You have an existing AWS-hosted cloud distribution point set up in Jamf Pro.
• B. You have an existing AWS IAM programmatic user account set up with the correct permissions to access and manage the AWS-hosted cloud distribution point set up in Jamf Pro.
• C. You can log into the AWS console using an account with console access with sufficient permissions to perform the following actions:
  • i. Access AWS’s IAM service for the account which has the existing AWS IAM programmatic user account referenced in pre-requisite B above.
  • ii. Change the security credentials for the existing AWS IAM programmatic user account referenced in pre-requisite B above.
• D. You can log into your Jamf Pro admin console using an account with sufficient permissions to perform the following actions:
  • i. Access the cloud distribution point settings.
  • ii. Edit the cloud distribution point settings.

1. Log into the AWS console.

2. Select the IAM service.

3. Identify and select the existing AWS IAM programmatic user account referenced in pre-requisite B above.

4. For that user account, select Security Credentials.

5. See how many access keys (active and inactive) are currently associated with the account.

An AWS IAM user account can have up to two total access keys set up in it. This procedure assumes you have one active access key which is being used as credentials for the AWS-hosted cloud distribution point. You will need to set up a second active access key as part of rotating the credentials for the cloud distribution point and both sets of access keys must be active for the rotation process to successfully complete.

If you already have two active access keys showing for the existing AWS IAM programmatic user account, stop here. Before proceeding, you will need to identify if a) if second access key is being used by something else, b) what the second access key is being used for and c) get its functionality moved to another IAM programmatic user account.

The rest of the procedure assumes that you have one active access key associated with the account.

6. Click the Create Access Key button.

7. For use case, select Other. Once the Other case has been selected, click the Next button.

8. Set a description tag (if desired), then click the Create Access Key button.

9. The access key will be created.

This is the only time you will have access to both the access key and secret access key information. You can click the Show button to reveal the secret access key information.

You also have the option of downloading both the access key and secret access key information in a .csv file.

The information in the .csv file will look similar to what’s shown below:

10. Once you have both the access key and secret access key information stored for later reference, click the Done button.

You should now see a second active access key appear in the AWS console. The access key is displayed, but the secret access key is never shown again following the access key’s creation (described in step 9.)

11. Log into the Jamf Pro admin console for the Jamf Pro instance which has the relevant AWS-hosted cloud distribution point.

12. Go to Settings: Server: Cloud Distribution Point.

13. In the Cloud distribution point window, verify that Content Delivery Network is set to the following:

Amazon Web Services

14. Click the Edit button to update the credentials for the AWS-hosted cloud distribution point.

15. In the Access Key ID entry field, put in the following information:

Access key

16. In the Secret Access Key and Verify Secret Access Key entry fields, put in the following information:

Secret access key

17. Once you’ve verified that the correct information has been entered into the Access Key ID, Secret Access Key and Verify Secret Access Key entry fields, click the Save button.

18. Once the changes have been saved, click the Test button.

19. In the Cloud distribution point test window, click the Test button.

If the credentials were successfully rotated, you should see a message that the cloud service was successfully contacted.

If you see anything other than a message that the cloud service was successfully contacted, contact Jamf Support.

Once the credentials have been successfully rotated, I would recommend going back into the AWS console to deactivated and delete the previously-used access key. To do this, use the following procedure.

1. Log into the AWS console.

2. Select the IAM service.

3. Identify and select the existing AWS IAM programmatic user account referenced in pre-requisite B above.

4. For that user account, select Security Credentials.

5. Identify the previously-used access key.

6. Click the Actions menu. In the Actions menu, select Deactivate.

7. Confirm that you want to deactivate the previously-used access key.

Once deactivated, the previously-used access key should still be shown in the AWS console as a deactivated access key.

Note: This deactivated access key is still taking up a slot as one of the two access key associated with the AWS IAM programmatic user account, so it will need to be deleted before you’ll be able to set up a new access key later. To delete a deactivated access key, use the procedure shown below:

1. Log into the AWS console.

2. Select the IAM service.

3. Identify and select the existing AWS IAM programmatic user account referenced in pre-requisite B above.

4. For that user account, select Security Credentials.

5. Identify the deactivated access key.

6. Click the Actions menu. In the Actions menu, select Delete.

7. Confirm that you want to delete the deactivated access key by entering the deactivated access key into the relevant text input field, then click the Delete button.

Once deleted, the deactivated access key’s listing is removed from the AWS console.