2 回答
- 最新
- 投票最多
- 评论最多
1
Hi,
There are 2 permissions you will need to add:
- In your bucket policy, you need to allow your Rekognition IAM arn in account 2 to be able to access to your S3 in bucket 1, try with the bucket policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket-name>/*"
}
]
}
- In the IAM role of your Rekognition service in account 2, you need to add the policy with permission to access the cross account S3 bucket, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
}
]
}
In addition, if you are S3 bucket is encrypted, you will need to modify the KMS key policy as well as the Rekognition service role to allow Rekognition service role to be able to encrypt and decrypt using the key, for example, for Rekognition servcie role, add additional policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "{REPLACE_WITH_YOUR_KMS_KEY_ARN}"
}
]
}
For the KMS policy, add account 2 to be able to use the KMS key in account 1(data account with S3)
Let me know how it goes,
已回答 1 年前
0
Hi @Jady,
Thank you for your reply.
Setting below permission alone to my Acount 1's s3 bucket worked. As encryption is disabled.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket-name>/*"
}
]
}
Regards
已回答 1 年前
相关内容
- AWS 官方已更新 9 个月前
- AWS 官方已更新 1 年前
Great! please accept the answer if it works for you, and happy holidays!