Access control for AWS Managed services
Question
Our organization is planning to use AWS Managed services like Rekognition, Textract etc. Since these services uses S3 buckets for Face comparison and analyzing documents. The concern is end users shouldn't be able to access buckets outside our organization, is there any way I can limit the access for only S3 buckets in my organization? Buckets can be created on the fly by the user, so the access control should cover all the buckets in the account. We're also using VPC endpoints for these services.
1 answers
solution1
0 2021-02-08 09:06:44
There is no capability to configure Rekognition such that it can only use buckets within the specific AWS Account.
Objects in Amazon S3 are private by default. IAM Users in your organization will only have access to buckets for which they have been granted access via a policy on their IAM User, or via a Bucket Policy on the bucket itself.
If a user references an S3 object in a call to Amazon Rekognition, the user must have access to the bucket via an IAM Policy or Bucket Policy. If they can access the object, then they can use the object with Rekognition.
In other words, if they have general access to an object (eg to download the object), then they can use Rekognition with it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.