In order to grant access necessary for Yahoo to deliver the feed, update the S3 bucket policy to:
Allow the
aolp.ds-prd.cleanroom-api,aolp.ds-prd.cleanroom-api-service,dcs.tgt-anltcs-prd.cleanroom-api-service, anddcs.tgt-anltcs-prd.cleanroom-apiroles to write to and have other required privileges to the bucket.Enforce encrypted transport and storage.
Sample Policy
{
"Version": "2023-10-31",
"Id": "Policy1544453891556",
"Statement": [
{
"Sid": "AllowCleanroomOutput",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::394273476801:role/aolp.ds-prd.cleanroom-api-service",
"arn:aws:iam::394273476801:root",
"arn:aws:iam::394273476801:role/aolp.ds-prd.cleanroom-api"
"arn:aws:iam::120569632695:role/dcs.tgt-anltcs-prd.cleanroom-api-service",
"arn:aws:iam::120569632695:role/dcs.tgt-anltcs-prd.cleanroom-api",
"arn:aws:iam::120569632695:root"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::outputbucket/outputprefix/*",
"arn:aws:s3:::outputbucket"
]
},
{
"Sid": "RequiredSecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::outputbucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "RequiredEncryptedPutObject",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::outputbucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}