2 Antworten
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
1
Hi,
There are 2 permissions you will need to add:
- In your bucket policy, you need to allow your Rekognition IAM arn in account 2 to be able to access to your S3 in bucket 1, try with the bucket policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket-name>/*"
}
]
}
- In the IAM role of your Rekognition service in account 2, you need to add the policy with permission to access the cross account S3 bucket, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
}
]
}
In addition, if you are S3 bucket is encrypted, you will need to modify the KMS key policy as well as the Rekognition service role to allow Rekognition service role to be able to encrypt and decrypt using the key, for example, for Rekognition servcie role, add additional policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "{REPLACE_WITH_YOUR_KMS_KEY_ARN}"
}
]
}
For the KMS policy, add account 2 to be able to use the KMS key in account 1(data account with S3)
Let me know how it goes,
beantwortet vor einem Jahr
0
Hi @Jady,
Thank you for your reply.
Setting below permission alone to my Acount 1's s3 bucket worked. As encryption is disabled.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket-name>/*"
}
]
}
Regards
beantwortet vor einem Jahr
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren
Great! please accept the answer if it works for you, and happy holidays!