Step 7: (Optional) Using your own AWS Key Management Service key

You can use AWS Key Management Service (KMS) to manage encryption for the input images that you store in Amazon S3 buckets.

By default your images are encrypted with a key that AWS owns and manages. You can also choose to use your own AWS Key Management Service (KMS) key. For more information, see AWS Key Management Service concepts.

If you want to use your own KMS key, use the the following policy to specify the KMS key. Change kms_key_arn to the ARN of the KMS key (or KMS alias ARN) that you want to use. Alternatively, specify * to use any KMS key. For information about adding the policy to an IAM user or role, see Creating IAM Policies.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LookoutVisionKmsDescribeAccess",
            "Effect": "Allow",
            "Action": "kms:DescribeKey",
            "Resource": "kms_key_arn"
        },
        {
            "Sid": "LookoutVisionKmsCreateGrantAccess",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "kms_key_arn",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "lookoutvision.*.amazonaws.com"
                },
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Step 6: Set up SDK permissions

Understanding Amazon Lookout for Vision