Cross-Account s3 buck access from Rekognition Service

Question

Hi,

I have two different aws account.

```
Account 1: Stores images and videos inside s3 bucket in region us-east-1
Account 2. Rekognition service is running in region us-east-1
```

From my application I am able to use rekognition service and get content moderation labels if my rekognition service and s3 bucket belongs to same account and region. (eg - Both belongs to Account 2).

But when I am trying to access s3 bucket data from different account, it's giving me error. 
(eg - S3 bucket created by Account 1, and Rekognition service running in Account 2)

Error:

```
software.amazon.awssdk.services.rekognition.model.InvalidS3ObjectException: Unable to get object metadata from S3. Check object key, region and/or access permissions. (Service: Rekognition, Status Code: 400, Request ID: 9c15c94b-0568-4f59-bfae-5b21927e52c1)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleResponse(CombinedResponseHandler.java:82)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:60)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:41)

```

I have also tried setting below mentioned bucket policy, but nothing is working.
I don't want to copy data from Account 1 to Account 2 and run the service. Is there any way, to run rekognition content moderation service in Account 2 and access data from Account 1.

```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam:::user/"
			},
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::"
		}
	]
}
```

Not able to figure out, what I am missing.

Thank You.

Answer

Hi,

There are 2 permissions you will need to add:

1. In your bucket policy, you need to allow your Rekognition IAM arn in account 2 to be able to access to your S3 in bucket 1, try with the bucket policy below:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::/*"
        }
    ]
}
```
2. In the IAM role of your Rekognition service in account 2, you need to add the policy with permission to access the cross account S3 bucket, for example:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::/*",
                "arn:aws:s3:::"
            ]
        }
    ]
}
```
In addition, if you are S3 bucket is encrypted, you will need to modify the KMS key policy as well as the Rekognition service role to allow Rekognition service role to be able to encrypt and decrypt using the key, for example, for Rekognition servcie role, add additional policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::/*",
                "arn:aws:s3:::"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "{REPLACE_WITH_YOUR_KMS_KEY_ARN}"
        }
    ]
}
```
For the KMS policy, add account 2 to be able to use the KMS key in account 1(data account with S3)

Let me know how it goes,

Answer

Hi @Jady,

Thank you for your reply.

Setting below permission alone to my Acount 1's s3 bucket worked. As encryption is disabled.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::/*"
        }
    ]
}
```
Regards

Cross-Account s3 buck access from Rekognition Service

관련 콘텐츠