Merge pull request #42 from aws-solutions/release/v3.2.7

Release v3.2.7

Author: amzn-gaod

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.7] - 2024-11-21
+
+### Security
+
+- Security updates for npm packages
+
 ## [3.2.6] - 2024-09-17
 
 ### Security

solution-manifest.yaml

@@ -1,6 +1,6 @@
 id: SO0109
 name: live-streaming-on-aws-with-amazon-s3
-version: v3.2.6
+version: v3.2.7
 cloudformation_templates:
   - template: live-streaming-on-aws-with-amazon-s3.template
     main_template: true

source/constructs/lib/live-streaming.ts

@@ -227,6 +227,20 @@ export class LiveStreaming extends cdk.Stack {
         const mediaLiveRole = new iam.Role(this, 'MediaLiveRole', {
             assumedBy: new iam.ServicePrincipal('medialive.amazonaws.com'),
         });
+        /**
+        * MediaLive needs s3:PutObject access to show thumbnails in the console.
+        * It uses an internal bucket but doesn't expose a name for the bucket so we can't restrict by bucket name.
+        * https://docs.aws.amazon.com/medialive/latest/ug/thumbnails-enable.html#thumbnails-enable-iam
+        */
+        const thumbnailPolicyStatement = new iam.PolicyStatement({
+            actions: [ 's3:PutObject' ],
+            conditions: {
+                StringNotEquals: {
+                    's3:ResourceAccount': `${cdk.Aws.ACCOUNT_ID}`
+                }
+            }
+        });
+        thumbnailPolicyStatement.addAllResources()
         const mediaLivePolicy = new iam.Policy(this, 'mediaLivePolicy', {
             statements: [
                 new iam.PolicyStatement({
@@ -243,6 +257,7 @@ export class LiveStreaming extends cdk.Stack {
                         }
                     }
                 }),
+                thumbnailPolicyStatement,
                 new iam.PolicyStatement({
                     resources: [`arn:${cdk.Aws.PARTITION}:ssm:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:parameter/*`],
                     actions: [
@@ -527,4 +542,4 @@ export class LiveStreaming extends cdk.Stack {
             solutionId
         );
     }
-}
+}

source/constructs/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "live-streaming-on-aws-with-amazon-s3",
-  "version": "3.2.6",
+  "version": "3.2.7",
   "author": {
     "name": "Amazon Web Services",
     "url": "https://aws.amazon.com/solutions"

source/constructs/package.json

@@ -1439,6 +1439,18 @@ exports[`LiveStreaming Stack Test 1`] = `
                 ],
               },
             },
+            {
+              Action: s3:PutObject,
+              Condition: {
+                StringNotEquals: {
+                  s3:ResourceAccount: {
+                    Ref: AWS::AccountId,
+                  },
+                },
+              },
+              Effect: Allow,
+              Resource: *,
+            },
             {
               Action: [
                 ssm:DescribeParameters,

source/constructs/test/__snapshots__/live-streaming.test.ts.snap

@@ -1,6 +1,6 @@
 {
   "name": "live-streaming-single-pipeline",
-  "version": "3.2.6",
+  "version": "3.2.7",
   "author": {
     "name": "Amazon Web Services",
     "url": "https://aws.amazon.com/solutions"