Amazon Advertising API不适用于S3的自定义VPC终端节点策略

Question

Amazon Advertising API is not working with custom VPC endpoint policy for S3.

I have two S3 buckets and two EC2 instances in two VPCs. Created VPC endpoints to access S3 bucket.

I need to connect bucket test1 from EC2-1 in VPC1 and bucket test2 from EC2-2 in VPC2 . Need to block access from EC2-1 to bucket test2 and EC2-2 to bucket test1 .

These 2 buckets are under an AWS account and using same IAM user credentials to access these buckets.

Policy which I used for VPC Endpoint for S3 in VPC1 :

{
    "Statement": [
        {
            "Sid": "Access-to-specific-bucket-only",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::test1",
                "arn:aws:s3:::test1/*"
            ]
        }
    ]
}

This policy is working fine. But, I need to access Amazon Advertising API from my EC2 instances. Now, which gives a connection error. It will work when I give Full Access, that I do not want. Please help me to set up a custom policy.

Note: Amazon Advertising API URL start with https://amazon-advertising-api-reports-prod-usamazon.s3.amazonaws.com

Answer 1

That looks like a URL where you can retrieve reports rather than an actual URL to the Advertising API.

Your VPC Endpoint for S3 policy is permitting access to the test1 bucket, but it is not granting access to the amazon-advertising-api-reports-prod-usamazon bucket.

If you add that to your policy it be able to access the reports.