Release 1.1.4

Author: davelemons

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.4] - 2023-05-03
+
+### Changed
+- Modified S3 Bucket creation setting S3 ObjectOwnership to `BucketOwnerPreferred` to enable ACLs. [More Information...](https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/)
+- Modifyed S3 Deny policies from S3:Bucket to S3:* on the TLS enforcement IAM permissions as this may set off some compliance alarms.
+
 ## [1.1.3] - 2023-03-16
 
 ### Changed

README.md

@@ -1,6 +1,10 @@
 # Voicemail for Amazon Connect
 This solutions deploys the resources necessary to configure a voicemail system to use with Amazon Connect. See [Solution Architecture](https://aws.amazon.com/solutions/implementations/voicemail-for-amazon-connect/).
 
+> Starting in April 2023 Amazon S3 made a change to set the **Bucket Owner Enforced Setting** to be enabled for any newly completed buckets which disables **ACLs**. Since this solution uses Default ACLs, this new default will prevent the CloudFormation stack from deploying. [More Information...](https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/). 
+
+The master and development branches have been updated to account for the recent S3 changes.  Updated CloudFormation Templates and deployment instructions can be [found here](https://aws-contact-center-blog.s3.us-west-2.amazonaws.com/voicemail-s3-default-acl-issue/vmv1s3fix.zip)
+
 ## Development Branch
 We have added a new branch to this solution: the "development" branch. The "development" branch contains the same solution, but has a simplified build system that removes complexities introduced by the AWS Solution. If you would like to pull down this code to modify it for your own testing, you should use the "development" branch. The "development" branch is where we will accept PRs and continue to build out the Voicemail solution with more functionality based on feedback from users. We will update the "master" branch with changes from the "development" branch twice a year.
 

deployment/aws-connect-vm.template

@@ -2327,6 +2327,13 @@
         "VersioningConfiguration": {
           "Status": "Enabled"
         },
+        "OwnershipControls":{
+          "Rules": [
+            {
+                "ObjectOwnership": "BucketOwnerPreferred"
+            }
+          ]
+        },
         "PublicAccessBlockConfiguration": {
           "BlockPublicAcls": true,
           "BlockPublicPolicy": true,
@@ -3622,7 +3629,7 @@
             {
               "Effect": "Deny",
               "Principal": "*",
-              "Action": "s3:GetObject",
+              "Action": "s3:*",
               "Resource": {
                 "Fn::Sub": "arn:aws:s3:::${AudioRecordingsBucket}/*"
               },

deployment/cloudfront.template

@@ -75,7 +75,7 @@ Resources:
             Resource: !Sub 'arn:aws:s3:::${PortalBucket}/*'
             Principal:
               CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
-          - Action: "s3:GetObject"
+          - Action: "s3:*"
             Effect: Deny
             Resource: !Sub 'arn:aws:s3:::${PortalBucket}/*'
             Principal: "*"

deployment/copy-artifacts.template

@@ -52,6 +52,9 @@ Resources:
       Tags: []
       VersioningConfiguration:
         Status: Enabled
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerPreferred
       PublicAccessBlockConfiguration:
         BlockPublicAcls: True
         BlockPublicPolicy: True
@@ -77,7 +80,7 @@ Resources:
             Resource: !Sub 'arn:aws:s3:::${LambdaArtifactsBucket}/*'
             Principal:
               AWS: !Sub '${AWS::AccountId}'
-          - Action: "s3:GetObject"
+          - Action: "s3:*"
             Effect: Deny
             Resource: !Sub 'arn:aws:s3:::${LambdaArtifactsBucket}/*'
             Principal: "*"

deployment/voicemail-for-amazon-connect.template

@@ -276,6 +276,9 @@ Resources:
     PortalBucket:
       Type: AWS::S3::Bucket
       Properties:
+        OwnershipControls:
+          Rules:
+            - ObjectOwnership: BucketOwnerPreferred
         PublicAccessBlockConfiguration:
           BlockPublicAcls: True
           BlockPublicPolicy: True
@@ -306,7 +309,7 @@ Resources:
         PolicyDocument:
           Statement:
             - Action:
-                - "s3:GetObject"
+                - "s3:*"
               Effect: "Deny"
               Resource: !Sub 'arn:aws:s3:::${VoicemailAccessLogBucket}/*'
               Principal: "*"
@@ -318,6 +321,9 @@ Resources:
       Type: AWS::S3::Bucket
       Properties:
         AccessControl: "LogDeliveryWrite"
+        OwnershipControls:
+          Rules:
+            - ObjectOwnership: BucketOwnerPreferred
         PublicAccessBlockConfiguration:
           BlockPublicAcls: True
           BlockPublicPolicy: True

source/aws-connect-vm-portal/templates/cloudfront.yml

@@ -29,6 +29,9 @@ Resources:
   PortalBucket:
     Type: AWS::S3::Bucket
     Properties:
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerPreferred
       PublicAccessBlockConfiguration:
         BlockPublicAcls: True
         BlockPublicPolicy: True

source/aws-connect-vm-serverless/serverless.yml

@@ -470,6 +470,9 @@ resources:
         AccessControl: LogDeliveryWrite
         VersioningConfiguration:
           Status: Enabled
+        OwnershipControls:
+          Rules:
+            - ObjectOwnership: BucketOwnerPreferred
         PublicAccessBlockConfiguration:
           BlockPublicAcls: True
           BlockPublicPolicy: True

source/tools/transform.py

@@ -158,7 +158,7 @@ def transform_template(template, save_path, lambda_zip_key, lambda_jar_key):
                         {
                             "Effect": "Deny",
                             "Principal": "*",
-                            "Action": "s3:GetObject",
+                            "Action": "s3:*",
                             "Resource": {
                                 "Fn::Sub": "arn:aws:s3:::${AudioRecordingsBucket}/*"
                             },