Amazon S3

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

You can forward data collected by the Jamf Protect Cloud to an Amazon S3 bucket.

Requirements

  • Computers that are configured to transfer data via an action configuration.

  • An Amazon S3 bucket to store your Jamf Protect data

  • An identity access management (IAM) role with the following:

    • Permission to upload Jamf Protect data to an Amazon S3 bucket

    • Jamf's AWS account as a trusted entity

Note:

If you do not have an Amazon S3 bucket or you want to create a dedicated S3 bucket for Jamf Protect, you can use the Jamf-provided AWS CloudFormation template to create a new S3 bucket and the IAM role for Jamf Protect. For more information about AWS CloudFormation templates, see Working with CloudFormation templates in the AWS CloudFormation User Guide.

  1. (Optional) If you want to create an S3 bucket using the Jamf-provided CloudFormation template, do the following:
    1. Select Administrative > Data, then click the AWS CloudFormation Template download link in the Amazon S3 section.
    2. Upload the template file to your AWS environment. For instructions, see Create a stack from the CloudFormation console AWS CloudFormation User Guide.
  2. In Jamf Protect, click Administrative > Data.
  3. Use the Amazon S3 Forwarding switch to enable data forwarding.
  4. Select the Encrypt Forwarded Data checkbox to ensure all data forwarded from the Jamf Protect Cloud is encrypted.
  5. Enter the name of an Amazon S3 bucket to send data to.
  6. (Optional) Enter a prefix name to use for all forwarded Jamf Protect data objects.
  7. Enter the IAM Role that Jamf Protect will assume when it forwards data to your Amazon S3 bucket. This value should be in Amazon Resource Name (ARN) format.
    Example:

    arn:aws:iam::123456789012:role/S3Access

  8. Click Save.

    Jamf Protect provides an External ID to use when configuring Amazon S3 Forwarding. The ExternalId value is unique to every tenant and is included in the request to assume the role used write data to the S3 bucket. To use the ExternalId as an additional layer of verification, include a condition element in the role's trust policy. For more information on using the ExternalId value see The confused deputy problem (aws) in Amazon's AWS Identity and Access Management User Guide.

Any data that is sent to Jamf Protect Cloud will now be forwarded to the Amazon S3 bucket.