Security - Rekognition


You can secure the management of your projects, models, and the DetectCustomLabels operation that your customers use to detect custom labels.

For more information about securing Amazon Rekognition, see Amazon Rekognition Security.

Securing Amazon Rekognition Custom Labels projects

You can secure your Amazon Rekognition Custom Labels projects by specifying the resource-level permissions that are specified in identity-based policies. For more information, see Identity-Based Policies and Resource-Based Policies.

The Amazon Rekognition Custom Labels resources that you can secure are:

Resource Amazon Resource Name Format





The following example policy shows how to give an identity permission to:

  • Describe all projects.

  • Create, start, stop, and use a specific model for inference.

  • Create a project. Create and describe a specific model.

  • Deny the creation of a specific project.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllResources", "Effect": "Allow", "Action": "rekognition:DescribeProjects", "Resource": "*" }, { "Sid": "SpecificProjectVersion", "Effect": "Allow", "Action": [ "rekognition:StopProjectVersion", "rekognition:StartProjectVersion", "rekognition:DetectCustomLabels", "rekognition:CreateProjectVersion" ], "Resource": "arn:aws:rekognition:*:*:project/MyProject/version/MyVersion/*" }, { "Sid": "SpecificProject", "Effect": "Allow", "Action": [ "rekognition:CreateProject", "rekognition:DescribeProjectVersions", "rekognition:CreateProjectVersion" ], "Resource": "arn:aws:rekognition:*:*:project/MyProject/*" }, { "Sid": "ExplicitDenyCreateProject", "Effect": "Deny", "Action": [ "rekognition:CreateProject" ], "Resource": ["arn:aws:rekognition:*:*:project/SampleProject/*"] } ] }

Securing DetectCustomLabels

The identity used to detect custom labels might be different from the identity that manages Amazon Rekognition Custom Labels models.

You can secure access an identity’s access to DetectCustomLabels by applying a policy to the identity. The following example restricts access to DetectCustomLabels only and to a specific model. The identity doesn’t have access to any of the other Amazon Rekognition operations.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectCustomLabels" ], "Resource": "arn:aws:rekognition:*:*:project/MyProject/version/MyVersion/*" } ] }

AWS managed policies

We provide the AmazonRekognitionCustomLabelsFullAccess AWS managed policy that you can use to control access to Amazon Rekognition Custom Labels. For more information, see AWS managed policy: AmazonRekognitionCustomLabelsFullAccess.