Amazon Machine Learning
Developer Guide (Version Latest)

Granting Amazon ML Permissions to Output Predictions to Amazon S3

To output the results of the batch prediction operation to Amazon S3, you must grant Amazon ML the following permissions to the output location, which is provided as input to the Create Batch Prediction operation:

  • GetObject permission on your S3 bucket and prefix.

  • PutObject permission on your S3 bucket and prefix.

  • PutObjectAcl on your S3 bucket and prefix.

    • Amazon ML needs this permission to ensure that it can grant the canned ACL bucket-owner-full-control permission to your AWS account, after objects are created.

  • ListBucket permission on the S3 bucket. Unlike other actions, ListBucket must be granted bucket-wide permissions (rather than on the prefix). You can, however, scope the permission to a specific prefix by using a Condition clause.

If you use the Amazon ML console to create the batch prediction request, these permissions can be added to the bucket for you. You will be prompted to confirm whether you want to add them as you complete the steps in the wizard.

The following example policy shows how to grant permission for Amazon ML to write data to the sample location s3://examplebucket/exampleprefix, while scoping the ListBucket permission to only the exampleprefix input path, and granting the permission for Amazon ML to set put object ACLs on the output prefix:

{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": ""}, "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::examplebucket/exampleprefix/*" }, { "Effect": "Allow", "Principal": { "Service": ""}, "Action": "s3:PutObjectAcl", "Resource": "arn:aws:s3:::examplebucket/exampleprefix/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" }} }, { "Effect": "Allow", "Principal": {"Service": ""}, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::examplebucket", "Condition": { "StringLike": { "s3:prefix": "exampleprefix/*" }} }] }

To apply this policy to your data, you must edit the policy statement on the S3 bucket where your data resides. To edit the policy:

  1. Log into Amazon S3 Console.

  2. Click the bucket name.

  3. Click Properties.

  4. Click Edit bucket policy.

  5. Enter the policy above, customizing it as-needed.