FSI Services Spotlight: Featuring Amazon Rekognition

Welcome to the Financial Services Industry (FSI) Service Spotlight monthly blog series. Each month, we look at five key considerations that FSI customers should focus on to help streamline cloud service approval for one particular service. Each of the five key considerations includes specific guidance, suggested reference architectures, and technical code that can be used to streamline service approval for the featured service.

This month, we are covering Amazon Rekognition. Amazon Rekognition is a computer vision service that adds robust visual analysis to applications powered by Machine Learning (ML). With Amazon Rekognition, customers can use pre-trained or customizable computer vision models and integrate with enterprise applications using an API interface to extract information and insights from images and videos. Being a fully managed service, it scales up and down based on business needs, and customers only pay for the analyzed images and videos.

Customers face challenges around training models at scale, which leads to a financial burden with a large amount of human labor and technology costs. Amazon Rekognition helps enterprises reduce operational costs with pre-built and pre-trained computer vision models requiring no ML expertise. Amazon Rekognition models can also be trained on a small set of labeled images specific to the business need for a customer use case.

Additionally, Amazon Rekogniton provides API access for various other areas that are relevant to FSI enterprises.

Compare faces for similarity using the CompareFaces API. This can verify a person’s identity when communicating with a customer or prospective customer.
Face Search uses an input face to search for similar matches in a collection of stored faces.
Face liveness helps you verify that only real users can access your services, not bad actors using spoofing.
Text detection allows Amazon Rekognition to detect and convert text in images and videos into machine-readable text for various use cases, like extracting key pieces of text on an identification card.

Figure 1: How Amazon Rekognition Face liveness works

Customers of all sizes use Amazon Rekognition to run scale computer vision. Lenme, a subscription-based service, leverages AWS services and particularly Amazon Rekognition Identity Verification API, to verify customers accurately, thereby greatly simplifying customer acquisition and verification process which was both costly as well as risky in the past. State Automobile Mutual Insurance Company (State Auto) has been able to automate the property inspection process using Amazon Rekognition. Space Neobank, a digital, cloud-only bank created from Georgia’s TBC Bank uses Amazon Rekognition image analysis service to compare customers’ selfies with identification documents, such as their passports, during their onboarding process.

Achieving Compliance with Amazon Rekognition

Amazon Rekognition is an AWS-managed service, and third-party auditors regularly assess its security and compliance as part of multiple AWS compliance programs. As part of the AWS shared responsibility model, Amazon Rekognition is in the scope of the following compliance programs. You can obtain corresponding compliance reports under an AWS non-disclosure agreement (NDA) through AWS Artifact. It is essential to understand that Amazon Rekognition compliance status does not automatically apply to applications you run in the AWS Cloud. You need to ensure that your use of AWS services complies with the standards.

SOC 1,2,3
PCI
CSA STAR CCM v3.0.1
ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, and CSA STAR CCM v4.0
ISMAP
FedRAMP (Moderate and High)
DoD CC SRG (IL2-IL5)
HIPAA
IRAP
MTCS (Regions: US-East, US-West, Singapore, Seoul)
C5
K-ISMS
ENS High
OSPAR
HITRUST CSF
FINMA
GSMA (Regions: US-East (Ohio) and Europe (Paris))
Pinakes
PiTuKri
CCCS Medium

Your scope of the shared responsibility model when using Amazon Rekognition is determined by the sensitivity of your data, your organization’s compliance objectives, and applicable laws and regulations. AWS provides several resources for compliance validation.

Data Protection with Amazon Rekognition

The AWS shared responsibility model applies to data protection in Amazon Rekognition. As described in this model, AWS protects the global infrastructure that runs the entire AWS Cloud. You are responsible for maintaining control over the content hosted on this infrastructure. This content includes the security configuration and management tasks for your AWS services. We recommend never putting confidential or sensitive information, such as your customers’ email addresses, into tags or free-form text fields such as a Name. Any data you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs.

We implement appropriate and sophisticated technical and physical controls, including encryption at rest and in transit, designed to prevent unauthorized access to or disclosure of your content and ensure that our use complies with our commitments to you.

Encryption

Amazon Rekognition API endpoints only support secure connections over HTTPS. All communication is encrypted with Transport Layer Security (TLS).

Images passed to Amazon Rekognition API operations may be stored and used to improve the service unless you have opted out by visiting the AI services opt-out policy page and following the process explained there. The stored images are encrypted at rest in Amazon Simple Storage Service (Amazon S3) using AWS Key Management Service (AWS KMS).
To analyze a video, Amazon Rekognition copies your videos into the service for processing. The videos are encrypted at rest (Amazon S3) using AWS KMS. The video may be stored and used to improve the service unless you have opted out by following the process outlined in the AI services opt-out policy page.
To train your model, Amazon Rekognition Custom Labels makes a copy of your source training and test images. The copied images are encrypted at rest in Amazon Simple Storage Service (S3) using server-side encryption with an AWS KMS key that you provide or an AWS-managed KMS key. Amazon Rekognition Custom Labels only supports symmetric KMS keys. Your source images are unaffected. Also, all session-related data stored in the Rekognition Face Liveness service’s account is fully encrypted at rest.

Key Management

You can use AWS Key Management Service (KMS) to manage keys for the input images and videos you store in Amazon S3 buckets. The CreateFaceLivenessSession API takes in an optional KmsKeyId parameter. You can provide the id of the KMS key you have created in your account. This key will be used to encrypt reference and audit images obtained during StartFaceLivenessSession API, and during GetFaceLivenessSessionResults API, the images will be decrypted using this key before returning the results. We recommend enabling Server-Side Encryption with customer-managed key in your Amazon S3 buckets to keep the data encrypted at rest.

Isolation of environments with Amazon Rekognition

Amazon Rekognition can analyze images stored in customer-owned buckets in Amazon S3 or passed into the API calls as a range of bytes. Similarly, for videos, Amazon Rekognition supports analysis of stored video files from a customer-owned S3 bucket or streaming videos from Amazon Kinesis Video Stream, which is a service that securely streams videos from connected devices to AWS for analytics, machine learning (ML), playback, and other processing.

Amazon Rekognition may store and use image and video inputs processed by the service solely to provide and maintain the service and, unless you opt out as provided below, to improve and develop the quality of Amazon Rekognition and other Amazon machine-learning/artificial intelligence technologies. Use of your content is essential for continuously improving your Amazon Rekognition customer experience, including developing and training related technologies. Any personally identifiable information that may be contained in your content to target products, services, or marketing to you or your end users is not used. Organizations can request the deletion of all images and videos that Amazon Rekognition stores from user inputs in AWS accounts by contacting AWS Support.

Automating audits with APIs with Amazon Rekognition

AWS CloudTrail captures all API calls for Amazon Rekognition as events. To learn more about CloudTrail, see the AWS CloudTrail User Guide. Using the information collected by CloudTrail, you can determine the request made to Amazon Rekognition, the IP address from which the request was made, who made the request when it was made, and additional details. Every event or log entry contains information about who generated the request.

The following example shows a CloudTrail log entry with actions for the StartLabelDetection API call.

{
  "Records": [
    {
      "eventVersion": "1.05",
      "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AIDAJ45Q7YFFAREXAMPLE",
        "arn": "arn:aws:sts::111122223333:assumed-role/Admin/JorgeSouza",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "sessionContext": {
          "sessionIssuer": {
            "type": "Role",
            "principalId": "AIDAJ45Q7YFFAREXAMPLE",
            "arn": "arn:aws:iam::111122223333:role/Admin",
            "accountId": "111122223333",
            "userName": "Admin"
          },
          "webIdFederationData": {},
          "attributes": {
            "mfaAuthenticated": "false",
            "creationDate": "2020-06-30T20:10:09Z"
          }
        }
      },
      "eventTime": "2020-06-30T20:42:14Z",
      "eventSource": "rekognition.amazonaws.com",
      "eventName": "StartLabelDetection",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "192.0.2.0",
      "userAgent": "aws-cli/3",
      "requestParameters": {
        "video": {
          "s3Object": {
            "bucket": "my-bucket",
            "name": "my-video.mp4"
          }
        }
      },
      "responseElements": {
        "jobId": "653de5a7ee03bd5083edde98ea8fce5794fcea66d077bdd4cfb39d71aff8fc25"
      },
      "requestID": "dfcef8fc-479c-4c25-bef0-d83a7f9a7240",
      "eventID": "b602e460-c134-4ecb-ae78-6d383720f29d",
      "readOnly": false,
      "eventType": "AwsApiCall",
      "recipientAccountId": "111122223333"
    }
  ]
}

In addition, with Amazon CloudWatch, you can get metrics for your account’s individual Rekognition operations or global Rekognition metrics. You can use metrics to track the health of your Rekognition-based solution. For example, you can view metrics for the number of server errors, the number of faces detected, the number of times a specific Rekognition operation has succeeded, and more. You can view metrics using CloudWatch, Amazon AWS Command Line Interface, or the CloudWatch API. You can also view aggregated metrics for a chosen period by using the Rekognition console. For more information, see Exercise 4: See aggregated metrics (console).

Access control and security with Amazon Rekognition

Controlling access to Amazon Rekognition involves using AWS Identity and Access Management (IAM) to create policies that provide fine-grained access control based on the principle of least privilege, a security best practice. Different enterprise roles are involved. Typically, service administrators who have full access to the service determine the minimum level of permissions specific users and/or applications need to access Amazon Rekognition and work with IAM administrators to adjust these permissions. IAM permissions can be enforced using:

Amazon Rekognition identity-based policies specify Allow or Deny actions on resources under certain conditions. They can be applied to IAM principals (users, groups, or roles) to enforce the controls.

The following example shows an identity-based policy that grants read-only access to Amazon Rekognition resources.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rekognition:CompareFaces",
        "rekognition:DetectFaces",
        "rekognition:DetectLabels",
        "rekognition:ListCollections",
        "rekognition:ListFaces",
        "rekognition:SearchFaces",
        "rekognition:SearchFacesByImage",
        "rekognition:DetectText",
        "rekognition:GetCelebrityInfo",
        "rekognition:RecognizeCelebrities",
        "rekognition:DetectModerationLabels",
        "rekognition:GetLabelDetection",
        "rekognition:GetFaceDetection",
        "rekognition:GetContentModeration",
        "rekognition:GetPersonTracking",
        "rekognition:GetCelebrityRecognition",
        "rekognition:GetFaceSearch",
        "rekognition:GetTextDetection",
        "rekognition:GetSegmentDetection",
        "rekognition:DescribeStreamProcessor",
        "rekognition:ListStreamProcessors",
        "rekognition:DescribeProjects",
        "rekognition:DescribeProjectVersions",
        "rekognition:DetectCustomLabels",
        "rekognition:DetectProtectiveEquipment",
        "rekognition:ListTagsForResource",
        "rekognition:ListDatasetEntries",
        "rekognition:ListDatasetLabels",
        "rekognition:DescribeDataset"
      ],
      "Resource": "*"
    }
  ]
}

The example below shows how you might create a policy allowing IAM users to view the inline and managed policies attached to their user identity. This policy includes permission to complete this action on the console or programmatically using the AWS CLI or AWS API.

{
"Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ViewOwnUserInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:GetUser"
            ],
            "Resource": ["arn:aws:iam:::user/${aws:username}"]
        },
        {
            "Sid": "NavigateInConsole",
            "Effect": "Allow",
            "Action": [
                "iam:GetGroupPolicy",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListGroupPolicies",
                "iam:ListPolicyVersions",
                "iam:ListPolicies",
                "iam:ListUsers"
            ],
            "Resource": ""
        }
    ]
}

Amazon Rekognition resource-based policies: Amazon Rekognition Custom Labels uses resource-based policies, project policies to manage Allow or Deny permissions to copy a model version from a source project to a destination project. You need a project policy if the destination project is in a different AWS account or if you want to restrict access within an AWS account. For example, you might want to Deny copy permissions to a specific IAM role. For more information, see Copying a Model.
- The following example allows the principal arn:aws:iam::111111111111:role/Admin to copy the model version

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:role/Admin"
      },
      "Action": "rekognition:CopyProjectVersion",
      "Resource": "arn:aws:rekognition:us-east-1:111111111111:project/my_project/version/test_1/1627045542080"
    }
  ]
}

Amazon Rekognition IAM roles: An IAM role is an entity in your AWS account with permission to perform specific tasks on specific resources. When an IAM role is assumed, temporary security credentials are obtained by calling AWS STS API operations such as AssumeRole or GetFederationToken.

AWS PrivateLink lets you privately access Amazon Rekognition API operations without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don’t need public IP addresses to communicate with Amazon Rekognition API endpoints to work with image and video analysis operations. Your compute instances also don’t need public IP addresses to use any available Rekognition API operations. Traffic between your VPC and Amazon RDS doesn’t leave the Amazon network.

Additionally, customers can improve their security posture by attaching the least privilege consistent endpoint policy to their VPC endpoint that controls access to Amazon Rekognition. These features enable customers to restrict API calls to Rekognition from only specific caller contexts (e.g., IP-Range filtering). The following example policy allows users to connect to Amazon Rekognition through the VPC endpoint to call the DetectFaces API operation. It prevents users from performing other Amazon Rekognition API operations through this endpoint.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "rekognition:DetectFaces"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Principal": "*"
    }
  ]
}

Conclusion

In this post, we reviewed Amazon Rekognition. We highlighted vital information that can help FSI customers accelerate the approval of the service within these five categories: achieving compliance, data protection, isolation of compute environments, automating audits with APIs, and operational access and security. While not a one-size-fits-all approach, the guidance can be adapted to meet your organization’s security and compliance requirements and provide a consolidated list of crucial areas for Amazon Rekognition.

In the meantime, visit our AWS Financial Services Industry blog channel and stay tuned for more financial services news and best practices.