amazon-web-servicesamazon-iamface-detectionpolicyamazon-rekognition

Resource for DetecFaces when grant policy

I using Rekognition DetecFaces of AWS SDK. I want to grant policy for DetecFaces only use image from S3. How to do that?

This is my granted policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "rekognition:DetectFaces",
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}
Solution

  • According to Actions, resources, and condition keys for Amazon Rekognition - Service Authorization Reference, the DetectFaces() API call does not accept any Condition parameters.

    Therefore, it is not possible to assign permissions that limit the use of this function based on a Condition. A user either has permission to call it, or they have no permission to call it.