WebAppS3BucketPolicy fails as of April 2023

[vzaluckis]

Hi.
I am facing an issue trying to deploy a full-stack serverless application that used to work to another AWS account. The error is

Error:
CREATE_FAILED: WebAppS3BucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied

I have spent some time trying to understand what's going on, and found these articles:

• https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
• https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

I tried creating a simple CloudFormation stack with just a bucket and a policy, made sure the Block Public Access setting is turned off for my IAM account and the Root account, and the template failed with the same error! Inspecting the created bucket I see that despite all the account settings it still has a Block Public Access setting on by default!

I believe the resource template and the policy preparation code must be changed to specify this setting explicitly for the app bucket. Can you do this? I have several projects depending on fullstack-serverless, it will be very unfortunate if I will not be able to deploy them anymore.

Thanks in advance!

[vzaluckis]

For anyone interested in a quick workaround, I have implemented a custom plugin that you add to the end of your plugins list. It fixes the policy creation problem for now, but I believe it is still not a solution, but rather a workaround.

"use strict";

const _ = require('lodash');

class FixS3PublicAccessPlugin {
  constructor(serverless) {
    this.error = serverless.classes.Error;
    this.serverless = serverless;

    this.hooks = {
      'before:aws:package:finalize:mergeCustomProviderResources': this.fixAppBucketPublicAccess.bind(this)
    };
  }

  fixAppBucketPublicAccess() {
    const baseResources = this.serverless.service.provider.compiledCloudFormationTemplate;
    const isSinglePageApp = !!this.serverless.service.custom.fullstack?.singlePageApp;

    if (!isSinglePageApp) {
      const bucketConfigProps = baseResources.Resources?.WebAppS3Bucket?.Properties;
      if (!bucketConfigProps)
        throw new this.error("WebAppS3Bucket resource is not defined. Move this plugin lower in the plugins list.");

      this.serverless.cli.log(`Fixing WebApp bucket access ...`);

      bucketConfigProps.PublicAccessBlockConfiguration = {
        BlockPublicAcls: false,
        BlockPublicPolicy: false,
        IgnorePublicAcls: false,
        RestrictPublicBuckets: false
      };
    }

    return baseResources;
  }
}

module.exports = FixS3PublicAccessPlugin;

[sc0ttdav3y]

I started using this plugin in December 2023 and I expected to see this, but for me it's working without the need for any workaround.