Securing Amazon Rekognition Custom Labels projects Securing DetectCustomLabels AWS managed policies

Security

You can secure the management of your projects, models, and the DetectCustomLabels operation that your customers use to detect custom labels.

For more information about securing Amazon Rekognition, see Amazon Rekognition Security.

Securing Amazon Rekognition Custom Labels projects

You can secure your Amazon Rekognition Custom Labels projects by specifying the resource-level permissions that are specified in identity-based policies. For more information, see Identity-Based Policies and Resource-Based Policies.

The Amazon Rekognition Custom Labels resources that you can secure are:

Resource	Amazon Resource Name Format
Project	arn:aws:rekognition:::project/`project_name`/datetime
Model	arn:aws:rekognition:::project/`project_name`/version/`name`/datetime

The following example policy shows how to give an identity permission to:

Describe all projects.
Create, start, stop, and use a specific model for inference.
Create a project. Create and describe a specific model.
Deny the creation of a specific project.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllResources",
            "Effect": "Allow",
            "Action": "rekognition:DescribeProjects",
            "Resource": "*"
        },
        {
            "Sid": "SpecificProjectVersion",
            "Effect": "Allow",
            "Action": [
                "rekognition:StopProjectVersion",
                "rekognition:StartProjectVersion",
                "rekognition:DetectCustomLabels",
                "rekognition:CreateProjectVersion"
            ],
            "Resource": "arn:aws:rekognition:*:*:project/MyProject/version/MyVersion/*"
       },
        {
            "Sid": "SpecificProject",
            "Effect": "Allow",
            "Action": [
                "rekognition:CreateProject",
                "rekognition:DescribeProjectVersions",
                "rekognition:CreateProjectVersion"
            ],
            "Resource": "arn:aws:rekognition:*:*:project/MyProject/*"
        },
        {
            "Sid": "ExplicitDenyCreateProject",
            "Effect": "Deny",
            "Action": [
                "rekognition:CreateProject"
            ],
            "Resource": ["arn:aws:rekognition:*:*:project/SampleProject/*"]
        }
    ]
}

Securing DetectCustomLabels

The identity used to detect custom labels might be different from the identity that manages Amazon Rekognition Custom Labels models.

You can secure access an identity’s access to DetectCustomLabels by applying a policy to the identity. The following example restricts access to DetectCustomLabels only and to a specific model. The identity doesn’t have access to any of the other Amazon Rekognition operations.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rekognition:DetectCustomLabels"


            ],
            "Resource": "arn:aws:rekognition:*:*:project/MyProject/version/MyVersion/*"
        }
    ]
}

AWS managed policies

We provide the AmazonRekognitionCustomLabelsFullAccess AWS managed policy that you can use to control access to Amazon Rekognition Custom Labels. For more information, see AWS managed policy: AmazonRekognitionCustomLabelsFullAccess.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Analyzing images with an AWS Lambda function

Guidelines and quotas