SendSafely

Articles in this section

See more

Actions Library: Rekognition Content Moderation

Follow

Overview

This Action programmatically scans files uploaded to SendSafely for explicit or inappropriate content using AWS Rekognition. When a package is finalized or a file is uploaded to a Workspace, the Action decrypts the file contents, sends supported image and video files to Rekognition for moderation analysis, and returns a verdict indicating whether explicit content was detected.

Rekognition Content Moderation supports the following file types:

  • Images: JPG, JPEG, PNG, GIF, BMP, WEBP
  • Videos: MP4, MOV, AVI

Files with unsupported types will be skipped during scanning and will not cause the Action to fail. If you are triggering this Action off of a Dropzone submission, consider limiting that Dropzone's allowed file types to the list above. 

To request the template for this Action example, reach out to your SendSafely account rep.

Please note that this Action requires access to the contents of SendSafely packages, and thus must be configured with a Master Key or Trusted Device Key.

Setup Instructions

1. Deploy the Lambda

To deploy the Lambda, you'll need the following permissions in AWS:

  • Create a new Lambda Function
  • Create a new AWS Secret (AWS Secrets Manager)
  • Define a custom IAM Role for the Lambda function

Follow these steps:

  1. In AWS, navigate to CloudFormation and click Create stack, then select "With new resources (standard)" from the dropdown.
  2. Under Template source, select "Upload a template file," then click Choose file and select the YAML file provided by your SendSafely account rep.
  3. Click Next. Name the stack, e.g., "RekognitionContentModerationAction," then click Next.
  4. Click the three checkboxes at the bottom of the page, then click Next.
  5. Click Submit.
  6. Wait for the Stack's status to change from "CREATE_IN_PROGRESS" to "CREATE_COMPLETE."

2. Update Secrets Manager

Update the Rekognition_Moderation_Config Secret generated by this deployment. Click on this Secret in Secrets Manager, click Retrieve secret value, and click Edit. Provide the following secret values:

  • ss-host
  • ss-api-key
  • ss-api-secret
  • pk-<ss-public-key-id>. Update the Name of this secret to replace the text '<ss-public-key-id>' with the actual public key ID of your Master Key (the SendSafely Support team will provide you this ID when you submit the public key to them). Update the Value of this secret with the full text of the private key, including the opening and closing tags:
-----BEGIN PGP PRIVATE KEY BLOCK-----
-----END PGP PRIVATE KEY BLOCK-----

For now, leave the last three secret values be and click Save. We'll populate one of them in Step 6.

3. Create a new Workflow

As an admin logged into your SendSafely portal, click the circle containing your initials in the top-right corner of the screen and select SendSafely Actions. Here, click New Workflow.

4. Choose the trigger event

At the time of this writing, the Actions framework supports three trigger events: "A file is uploaded to a Workspace," "A package is finalized," or "A recipient is added to a package." If you wish to perform this Action on both of the first two events, you'll need to go through this process twice, setting up two Workflows: one for each event.

5. Decide whether this Workflow will apply to a specific user's packages (Optional)

This Workflow, by default, will apply to all packages portal-wide. To limit its scope to packages owned by a specific user:

  1. Click the plus button and select Add an Event Filter.
  2. From the Criteria dropdown, select Package Owner Email.
  3. From the Operator dropdown, select equals.
  4. In the Value input, type the email of the user in question and click Save.

6. Add the Actions

Three Actions comprise this Workflow. We will add them one at a time.

Action 1.

First, we'll block the package or file, preventing your recipients from accessing, deleting, or modifying it while the scan is in progress.

  1. Click the plus button and select Add an Action.
  2. From the Action dropdown, select Block Package (or, if the trigger event is "A file is uploaded to a Workspace," Block File).
  3. From the Notification dropdown, select Notify on Error or Timeout.

Action 2.

Next, we'll invoke the webhook of the Lambda, which will use the Master Key or Trusted Device Key to decrypt the package or file's contents, send supported files to Rekognition for content moderation, and return a verdict.

  1. Click the plus button and select Add another Action.
  2. From the Action dropdown, select Invoke an External Webhook.
  3. From the Notification dropdown, select Notify on False, or Timeout.
  4. Retrieve the WebhookUrl from the Outputs tab of the Stack in CloudFormation, then paste it into the input in SendSafely and click Save.
  5. Click the text that says "Click here to view the action secret," then click Copy.
  6. In AWS Secrets Manager, click into the "Rekognition_Moderation_Config" Secret.
  7. Click Retrieve secret value, then click Edit.
  8. Paste the action secret into the value for action-secret-id-<actionId-finalize-package> (if the trigger event was "A package is finalized.") or for action-secret-id-<actionId-workspace-upload> (if the trigger event was "A file is uploaded to a Workspace"). Replace the <actionId-finalize-package> or <actionId-workspace-package> placeholder in the key with the Action ID, then click Save.

Action 3.

Last, we'll unblock the package or file if no explicit content was detected, rendering its contents available to recipients.

  1. Click the plus button and select Add another Action.
  2. From the Action dropdown, select Unblock Package (or, if the trigger event is "A file is uploaded to a Workspace," Unblock File).
  3. From the Notification dropdown, select Notify on Error or Timeout.

Add Action Filter.

We'll now add an Action Filter to this 3rd Action, so that it only runs if the 2nd Action returns True (i.e., the content passed moderation). Packages with no explicit content detected will be unblocked, whereas packages that failed moderation will remain blocked.

  1. Click Add Action Filter.
  2. From the Criteria dropdown, select Action Step 2 Result.
  3. From the Operator dropdown, select Equals.
  4. From the Value dropdown, select True.

Action 4 (Optional).

If explicit content is detected, you may wish to delete that package automatically.

  1. Click the plus button and select Add another Action.
  2. From the Action dropdown, select Delete Package (or, if the trigger event is "A file is uploaded to a Workspace," Delete File).
  3. From the Notification dropdown, select Notify on Error or Timeout.

Add Action Filter.

We'll now add an Action Filter to this 4th Action, so that it only runs if the 2nd Action returns False (i.e., explicit content was detected).

  1. Click Add Action Filter.
  2. From the Criteria dropdown, select Action Step 2 Result.
  3. From the Operator dropdown, select Equals.
  4. From the Value dropdown, select False.

7. Activate the Workflow

Hover over the "New Workflow" text at the top of the page, then click the pencil icon and give the Action a descriptive name, such as "Rekognition Content Moderation." Then click the toggle next to the text "Disabled" to enable the Action. The text will change from "Disabled" to "Live."

8. Test the Workflow

Now that we've activated the Workflow, let's trigger it. If the triggering event is "A package is finalized," we'll make a Dropzone submission or create a Transfer package. If the triggering event is "A file is uploaded to a Workspace," we'll upload a file to a Workspace.

If the scan detects explicit content, the package or file will remain blocked—or be deleted, if you configured Action 4. If no explicit content is detected, the package or file will be unblocked.

Comments

0 comments

Please sign in to leave a comment.