2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
Hi,
There are 2 permissions you will need to add:
- In your bucket policy, you need to allow your Rekognition IAM arn in account 2 to be able to access to your S3 in bucket 1, try with the bucket policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket-name>/*"
}
]
}
- In the IAM role of your Rekognition service in account 2, you need to add the policy with permission to access the cross account S3 bucket, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
}
]
}
In addition, if you are S3 bucket is encrypted, you will need to modify the KMS key policy as well as the Rekognition service role to allow Rekognition service role to be able to encrypt and decrypt using the key, for example, for Rekognition servcie role, add additional policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "{REPLACE_WITH_YOUR_KMS_KEY_ARN}"
}
]
}
For the KMS policy, add account 2 to be able to use the KMS key in account 1(data account with S3)
Let me know how it goes,
답변함 일 년 전
0
Hi @Jady,
Thank you for your reply.
Setting below permission alone to my Acount 1's s3 bucket worked. As encryption is disabled.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket-name>/*"
}
]
}
Regards
답변함 일 년 전
관련 콘텐츠
- 질문됨 9달 전
Great! please accept the answer if it works for you, and happy holidays!