Step 4: Getting started using the Amazon Rekognition console - Amazon Rekognition

Step 4: Getting started using the Amazon Rekognition console

This section shows you how to use a subset of Amazon Rekognition's capabilities such as object and scene detection, facial analysis, and face comparison in a set of images. For more information, see How Amazon Rekognition works. You can also use the Amazon Rekognition API or AWS CLI to detect objects and scenes, detect faces, and compare and search faces. For more information, see Step 3: Getting started using the AWS CLI and AWS SDK API.

This section also shows you how to see aggregated Amazon CloudWatch metrics for Rekognition by using the Rekognition console.

Set up console permissions

To use the Rekognition console you need to have the appropriate permissions for the role or account accessing the console. For some operations, Rekognition will automatically create an Amazon S3 bucket to store files handled during operation. If you want to store your training files in a bucket other than this console bucket, you will need additional permissions.

Allowing console access

To use the Rekognition console, you can use an IAM policy like the following one, which covers Amazon S3 and the Rekognition console. For information about assigning permissions, see Assigning permissions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "RekognitionFullAccess", "Effect": "Allow", "Action": [ "rekognition:*" ], "Resource": "*" }, { "Sid": "RekognitionConsoleS3BucketSearchAccess", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "RekognitionConsoleS3BucketFirstUseSetupAccess", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutBucketVersioning", "s3:PutLifecycleConfiguration", "s3:PutEncryptionConfiguration", "s3:PutBucketPublicAccessBlock", "s3:PutCors", "s3:GetCors" ], "Resource": "arn:aws:s3:::rekognition-custom-projects-*" }, { "Sid": "RekognitionConsoleS3BucketAccess", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketVersioning" ], "Resource": "arn:aws:s3:::rekognition-custom-projects-*" }, { "Sid": "RekognitionConsoleS3ObjectAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:HeadObject", "s3:DeleteObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:PutObject" ], "Resource": "arn:aws:s3:::rekognition-custom-projects-*/*" }, { "Sid": "RekognitionConsoleManifestAccess", "Effect": "Allow", "Action": [ "groundtruthlabeling:*", ], "Resource": "*" }, { "Sid": "RekognitionConsoleTagSelectorAccess", "Effect": "Allow", "Action": [ "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" }, { "Sid": "RekognitionConsoleKmsKeySelectorAccess", "Effect": "Allow", "Action": [ "kms:ListAliases" ], "Resource": "*" } ] }

Accesssing external Amazon S3 buckets

When you first open the Rekognition console in a new AWS Region, Rekognition creates a bucket (console bucket) that's used to store project files. Alternatively, you can use your own Amazon S3 bucket (external bucket) to upload the images or manifest file to the console. To use an external bucket, add the following policy block to the preceding policy. Replace my-bucket with the name of the bucket.

{ "Sid": "s3ExternalBucketPolicies", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:GetObjectTagging", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::my-bucket*" ] }

Assigning permissions

To provide access, add permissions to your users, groups, or roles: