Documentation Index

Fetch the complete documentation index at: https://help.yahooinc.com/llms.txt

Use this file to discover all available pages before exploring further.

Amazon S3 Exposure Logs Destination

Prev Next

In order to grant access necessary for Yahoo to deliver the feed, update the S3 bucket policy to:

  1. Allow the aolp.ds-prd.cleanroom-api, aolp.ds-prd.cleanroom-api-service, dcs.tgt-anltcs-prd.cleanroom-api-service, and dcs.tgt-anltcs-prd.cleanroom-api roles to write to and have other required privileges to the bucket.

  2. Enforce encrypted transport and storage.

Sample Policy

{
    "Version": "2023-10-31",
    "Id": "Policy1544453891556",
    "Statement": [
        {
            "Sid": "AllowCleanroomOutput",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::394273476801:role/aolp.ds-prd.cleanroom-api-service",
                    "arn:aws:iam::394273476801:root",
                    "arn:aws:iam::394273476801:role/aolp.ds-prd.cleanroom-api"
                   "arn:aws:iam::120569632695:role/dcs.tgt-anltcs-prd.cleanroom-api-service",
                    "arn:aws:iam::120569632695:role/dcs.tgt-anltcs-prd.cleanroom-api",
                    "arn:aws:iam::120569632695:root"
                ]
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:GetObjectAcl",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::outputbucket/outputprefix/*",
                "arn:aws:s3:::outputbucket"
            ]
        },
        {
            "Sid": "RequiredSecureTransport",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::outputbucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "RequiredEncryptedPutObject",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::outputbucket/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}