From 5b6988df675d63e3e183191165ab58e0c85fec8c Mon Sep 17 00:00:00 2001 From: Dave Lemons Date: Thu, 4 May 2023 10:15:20 -0400 Subject: [PATCH] Release 1.1.4 --- CHANGELOG.md | 6 ++++++ README.md | 4 ++++ deployment/aws-connect-vm.template | 9 ++++++++- deployment/cloudfront.template | 2 +- deployment/copy-artifacts.template | 5 ++++- deployment/voicemail-for-amazon-connect.template | 8 +++++++- source/aws-connect-vm-portal/templates/cloudfront.yml | 3 +++ source/aws-connect-vm-serverless/serverless.yml | 3 +++ source/tools/transform.py | 2 +- 9 files changed, 37 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 19044c8..0d851c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.1.4] - 2023-05-03 + +### Changed +- Modified S3 Bucket creation setting S3 ObjectOwnership to `BucketOwnerPreferred` to enable ACLs. [More Information...](https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/) +- Modifyed S3 Deny policies from S3:Bucket to S3:* on the TLS enforcement IAM permissions as this may set off some compliance alarms. + ## [1.1.3] - 2023-03-16 ### Changed diff --git a/README.md b/README.md index bd855f3..2c129b0 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,10 @@ # Voicemail for Amazon Connect This solutions deploys the resources necessary to configure a voicemail system to use with Amazon Connect. See [Solution Architecture](https://aws.amazon.com/solutions/implementations/voicemail-for-amazon-connect/). +> Starting in April 2023 Amazon S3 made a change to set the **Bucket Owner Enforced Setting** to be enabled for any newly completed buckets which disables **ACLs**. Since this solution uses Default ACLs, this new default will prevent the CloudFormation stack from deploying. [More Information...](https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/). + +The master and development branches have been updated to account for the recent S3 changes. Updated CloudFormation Templates and deployment instructions can be [found here](https://aws-contact-center-blog.s3.us-west-2.amazonaws.com/voicemail-s3-default-acl-issue/vmv1s3fix.zip) + ## Development Branch We have added a new branch to this solution: the "development" branch. The "development" branch contains the same solution, but has a simplified build system that removes complexities introduced by the AWS Solution. If you would like to pull down this code to modify it for your own testing, you should use the "development" branch. The "development" branch is where we will accept PRs and continue to build out the Voicemail solution with more functionality based on feedback from users. We will update the "master" branch with changes from the "development" branch twice a year. diff --git a/deployment/aws-connect-vm.template b/deployment/aws-connect-vm.template index 041f774..1778fc2 100644 --- a/deployment/aws-connect-vm.template +++ b/deployment/aws-connect-vm.template @@ -2327,6 +2327,13 @@ "VersioningConfiguration": { "Status": "Enabled" }, + "OwnershipControls":{ + "Rules": [ + { + "ObjectOwnership": "BucketOwnerPreferred" + } + ] + }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, @@ -3622,7 +3629,7 @@ { "Effect": "Deny", "Principal": "*", - "Action": "s3:GetObject", + "Action": "s3:*", "Resource": { "Fn::Sub": "arn:aws:s3:::${AudioRecordingsBucket}/*" }, diff --git a/deployment/cloudfront.template b/deployment/cloudfront.template index 6df9721..bc9d0d3 100755 --- a/deployment/cloudfront.template +++ b/deployment/cloudfront.template @@ -75,7 +75,7 @@ Resources: Resource: !Sub 'arn:aws:s3:::${PortalBucket}/*' Principal: CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId - - Action: "s3:GetObject" + - Action: "s3:*" Effect: Deny Resource: !Sub 'arn:aws:s3:::${PortalBucket}/*' Principal: "*" diff --git a/deployment/copy-artifacts.template b/deployment/copy-artifacts.template index 5f0167e..62c1578 100755 --- a/deployment/copy-artifacts.template +++ b/deployment/copy-artifacts.template @@ -52,6 +52,9 @@ Resources: Tags: [] VersioningConfiguration: Status: Enabled + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerPreferred PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True @@ -77,7 +80,7 @@ Resources: Resource: !Sub 'arn:aws:s3:::${LambdaArtifactsBucket}/*' Principal: AWS: !Sub '${AWS::AccountId}' - - Action: "s3:GetObject" + - Action: "s3:*" Effect: Deny Resource: !Sub 'arn:aws:s3:::${LambdaArtifactsBucket}/*' Principal: "*" diff --git a/deployment/voicemail-for-amazon-connect.template b/deployment/voicemail-for-amazon-connect.template index 4a2018d..754bb57 100644 --- a/deployment/voicemail-for-amazon-connect.template +++ b/deployment/voicemail-for-amazon-connect.template @@ -276,6 +276,9 @@ Resources: PortalBucket: Type: AWS::S3::Bucket Properties: + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerPreferred PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True @@ -306,7 +309,7 @@ Resources: PolicyDocument: Statement: - Action: - - "s3:GetObject" + - "s3:*" Effect: "Deny" Resource: !Sub 'arn:aws:s3:::${VoicemailAccessLogBucket}/*' Principal: "*" @@ -318,6 +321,9 @@ Resources: Type: AWS::S3::Bucket Properties: AccessControl: "LogDeliveryWrite" + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerPreferred PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True diff --git a/source/aws-connect-vm-portal/templates/cloudfront.yml b/source/aws-connect-vm-portal/templates/cloudfront.yml index 8635a84..b2bb8e1 100755 --- a/source/aws-connect-vm-portal/templates/cloudfront.yml +++ b/source/aws-connect-vm-portal/templates/cloudfront.yml @@ -29,6 +29,9 @@ Resources: PortalBucket: Type: AWS::S3::Bucket Properties: + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerPreferred PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True diff --git a/source/aws-connect-vm-serverless/serverless.yml b/source/aws-connect-vm-serverless/serverless.yml index eaad428..db4c705 100755 --- a/source/aws-connect-vm-serverless/serverless.yml +++ b/source/aws-connect-vm-serverless/serverless.yml @@ -470,6 +470,9 @@ resources: AccessControl: LogDeliveryWrite VersioningConfiguration: Status: Enabled + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerPreferred PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True diff --git a/source/tools/transform.py b/source/tools/transform.py index f8af6e3..bc794c6 100755 --- a/source/tools/transform.py +++ b/source/tools/transform.py @@ -158,7 +158,7 @@ def transform_template(template, save_path, lambda_zip_key, lambda_jar_key): { "Effect": "Deny", "Principal": "*", - "Action": "s3:GetObject", + "Action": "s3:*", "Resource": { "Fn::Sub": "arn:aws:s3:::${AudioRecordingsBucket}/*" },