Menu
Amazon Kinesis Streams
Developer Guide

Controlling Access to Amazon Kinesis Streams Resources Using IAM

AWS Identity and Access Management (IAM) enables you to do the following:

  • Create users and groups under your AWS account

  • Assign unique security credentials to each user under your AWS account

  • Control each user's permissions to perform tasks using AWS resources

  • Allow the users in another AWS account to share your AWS resources

  • Create roles for your AWS account and define the users or services that can assume them

  • Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources

By using IAM with Streams, you can control whether users in your organization can perform a task using specific Streams API actions and whether they can use specific AWS resources.

If you are developing an application using the Amazon Kinesis Client Library (KCL), your policy must include permissions for Amazon DynamoDB and Amazon CloudWatch; the KCL uses DynamoDB to track state information for the application, and CloudWatch to send KCL metrics to CloudWatch on your behalf. For more information about the KCL, see Developing Amazon Kinesis Streams Consumers Using the Amazon Kinesis Client Library.

For more information about IAM, see the following:

For more information about IAM and Amazon DynamoDB, see Using IAM to Control Access to Amazon DynamoDB Resources in the Amazon DynamoDB Developer Guide.

For more information about IAM and Amazon CloudWatch, see Controlling User Access to Your AWS Account in the Amazon CloudWatch User Guide.

Policy Syntax

An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows:

{
  "Statement":[{
    "Effect":"effect",
    "Action":"action",
    "Resource":"arn",
    "Condition":{
      "condition":{
        "key":"value"
        }
      }
    }
  ]
}

There are various elements that make up a statement:

  • Effect: The effect can be Allow or Deny. By default, IAM users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows.

  • Action: The action is the specific API action for which you are granting or denying permission.

  • Resource: The resource that's affected by the action. To specify a resource in the statement, you need to use its Amazon Resource Name (ARN).

  • Condition: Conditions are optional. They can be used to control when your policy will be in effect.

As you create and manage IAM policies, you might want to use the AWS Policy Generator and the IAM Policy Simulator.

Actions for Streams

In an IAM policy statement, you can specify any API action from any service that supports IAM. For Streams, use the following prefix with the name of the API action: kinesis:. For example: kinesis:CreateStream, kinesis:ListStreams, and kinesis:DescribeStream.

To specify multiple actions in a single statement, separate them with commas as follows:

"Action": ["kinesis:action1", "kinesis:action2"]

You can also specify multiple actions using wildcards. For example, you can specify all actions whose name begins with the word "Get" as follows:

"Action": "kinesis:Get*"

To specify all Streams operations, use the * wildcard as follows:

"Action": "kinesis:*"

For the complete list of Streams API actions, see the Amazon Kinesis API Reference.

Amazon Resource Names (ARNs) for Streams

Each IAM policy statement applies to the resources that you specify using their ARNs.

Use the following ARN resource format for Amazon Kinesis streams:

"Resource": arn:aws:kinesis:region:account-id:stream/stream-name

For example:

"Resource": arn:aws:kinesis:*:111122223333:stream/my-stream

Example Policies for Streams

The following example policies demonstrate how you could control user access to your Amazon Kinesis streams.

Example 1: Allow users to get data from a stream

This policy allows a user or group to perform the DescribeStream, ListStreams, GetShardIterator, and GetRecords operations on the specified stream. This policy could be applied to users who should be able to get data from a specific stream.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kinesis: Get*"
            ],
            "Resource": [
                "arn:aws:kinesis:us-east-1:111122223333:stream/stream1"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:DescribeStream"
            ],
            "Resource": [
                "arn:aws:kinesis:us-east-1:111122223333:stream/stream1"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:ListStreams"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Example 2: Allow users to add data to any stream in the account

This policy allows a user or group to use the PutRecord operation with any of the account's streams. This policy could be applied to users that should be able to add data records to all streams in an account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:PutRecord"
            ],
            "Resource": [
                "arn:aws:kinesis:us-east-1:111122223333:stream/*"
            ]
        }
    ]
}

Example 3: Allow any Streams action on a specific stream

This policy allows a user or group to use any Streams operation on the specified stream. This policy could be applied to users that should have administrative control over a specific stream.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kinesis:*",
            "Resource": [
                "arn:aws:kinesis:us-east-1:111122223333:stream/stream1"
            ]
        }
    ]
}

Example 4: Allow any Streams action on any stream

This policy allows a user or group to use any Streams operation on any stream in an account. Because this policy grants full access to all your streams, you should restrict it to administrators only.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kinesis:*",
            "Resource": [
                "arn:aws:kinesis:*:111122223333:stream/*"
            ]
        }
    ]
}