By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cross-Account s3 buck access from Rekognition Service

0

Hi,

I have two different aws account.

Account 1: Stores images and videos inside s3 bucket in region us-east-1
Account 2. Rekognition service is running in region us-east-1

From my application I am able to use rekognition service and get content moderation labels if my rekognition service and s3 bucket belongs to same account and region. (eg - Both belongs to Account 2).

But when I am trying to access s3 bucket data from different account, it's giving me error. (eg - S3 bucket created by Account 1, and Rekognition service running in Account 2)

Error:

software.amazon.awssdk.services.rekognition.model.InvalidS3ObjectException: Unable to get object metadata from S3. Check object key, region and/or access permissions. (Service: Rekognition, Status Code: 400, Request ID: 9c15c94b-0568-4f59-bfae-5b21927e52c1)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleResponse(CombinedResponseHandler.java:82)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:60)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:41)

I have also tried setting below mentioned bucket policy, but nothing is working. I don't want to copy data from Account 1 to Account 2 and run the service. Is there any way, to run rekognition content moderation service in Account 2 and access data from Account 1.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<account-id>:user/<username>"
			},
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::<bucket-name>"
		}
	]
}

Not able to figure out, what I am missing.

Thank You.

Topics
StorageSecurity, Identity, & ComplianceMachine Learning & AI
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAmazon RekognitionIAM Policies
Language
English
foiwe-admin
asked a year ago660 views
2 Answers
1

Hi,

There are 2 permissions you will need to add:

  1. In your bucket policy, you need to allow your Rekognition IAM arn in account 2 to be able to access to your S3 in bucket 1, try with the bucket policy below:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        }
    ]
}
  1. In the IAM role of your Rekognition service in account 2, you need to add the policy with permission to access the cross account S3 bucket, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        }
    ]
}

In addition, if you are S3 bucket is encrypted, you will need to modify the KMS key policy as well as the Rekognition service role to allow Rekognition service role to be able to encrypt and decrypt using the key, for example, for Rekognition servcie role, add additional policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "{REPLACE_WITH_YOUR_KMS_KEY_ARN}"
        }
    ]
}

For the KMS policy, add account 2 to be able to use the KMS key in account 1(data account with S3)

Let me know how it goes,

AWS
Jady
answered a year ago
0

Hi @Jady,

Thank you for your reply.

Setting below permission alone to my Acount 1's s3 bucket worked. As encryption is disabled.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        }
    ]
}

Regards

foiwe-admin
answered a year ago
  • Jady
    a year ago

    Great! please accept the answer if it works for you, and happy holidays!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content