Menu
Amazon Kinesis Streams
Developer Guide

Step 2: Create IAM Policy and User

Security best practices for AWS dictate the use of fine-grained permissions to control access to different resources. AWS Identity and Access Management allows you to manage users and user permissions in AWS. An IAM policy explicitly lists actions which are allowed and the resources on which the actions are applicable.

The following are the minimum permissions generally required for a Streams producer and consumer.

Producer

ActionsResourcePurpose
DescribeStreamAmazon Kinesis streamBefore attempting to write records, the producer should check if the stream exists and is active.
PutRecord, PutRecordsAmazon Kinesis streamWrite records to Streams.

Consumer

ActionsResourcePurpose
DescribeStreamAmazon Kinesis streamBefore attempting to read records, the consumer checks if the stream exists and is active, and if the shards are contained in the stream.
GetRecords, GetShardIterator Amazon Kinesis streamRead records from a Streams shard.
CreateTable, DescribeTable, GetItem, PutItem, Scan, UpdateItemAmazon DynamoDB tableIf the consumer is developed using the Kinesis Client Library (KCL), it needs permissions to a DynamoDB table to track the processing state of the application. The first consumer started creates the table.
DeleteItemAmazon DynamoDB tableFor when the consumer performs split/merge operations on Streams shards.
PutMetricDataAmazon CloudWatch logThe KCL also uploads metrics to CloudWatch, which are useful for monitoring the application.

For this application, you create a single IAM policy that grants all of the above permissions. In practice, you might want to consider creating two policies, one for producers and one for consumers. The policies you set up here are re-usable in subsequent learning modules in this series.

To create an IAM policy

  1. Determine the Amazon Resource Name (ARN) for the new stream. The ARN format is as follows:

    arn:aws:kinesis:region:account:stream/name
    region

    The region code; for example, us-west-2. For more information, see Region and Availability Zone Concepts.

    account

    The AWS account ID, as shown in Account Settings.

    name

    The name of the stream from Step 1: Create a Stream, which is StockTradeStream.

  2. Determine the ARN for the DynamoDB table to be used by the consumer (and created by the first consumer instance). It should be in the following format:

    arn:aws:dynamodb:region:account:table/name

    The region and account are from the same place as the previous step, but this time name is the name of the table created and used by the consumer application. The KCL used by the consumer uses the application name as the table name. Use StockTradesProcessor, which is the application name used later.

  3. In the IAM console, from Policies (https://console.aws.amazon.com/iam/home#policies, choose Create Policy. If this is the first time you have worked with IAM policies, choose Get Started, Create Policy.

  4. Choose Select next to Policy Generator.

  5. Choose Amazon Kinesis as the AWS service.

  6. Select DescribeStream, GetShardIterator, GetRecords, PutRecord, and PutRecords as the allowed actions.

  7. Type the ARN that you created in Step 1.

  8. Use Add Statement for each of the following:

    AWS ServiceActionsARN
    Amazon DynamoDBCreateTable, DeleteItem, DescribeTable, GetItem, PutItem, Scan, UpdateItemThe ARN you created in Step 2
    Amazon CloudWatchPutMetricData*

    The asterisk (*) is used when specifying an ARN is not required. In this case, it's because there is no specific resource in CloudWatch on which the PutMetricData action is invoked.

  9. Choose Next Step.

  10. Change Policy Name to StockTradeStreamPolicy, review the code, and choose Create Policy.

The resulting policy document should look something like the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt123",
      "Effect": "Allow",
      "Action": [
        "kinesis:DescribeStream",
        "kinesis:PutRecord",
        "kinesis:PutRecords",
        "kinesis:GetShardIterator",
        "kinesis:GetRecords"
      ],
      "Resource": [
        "arn:aws:kinesis:us-west-2:123:stream/StockTradeStream"
      ]
    },
    {
      "Sid": "Stmt456",
      "Effect": "Allow",
      "Action": [
        "dynamodb:*"
      ],
      "Resource": [
        "arn:aws:dynamodb:us-west-2:123:table/StockTradesProcessor"
      ]
    },
    {
      "Sid": "Stmt789",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:PutMetricData"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

To create an IAM user

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. On the Users page, choose Create New Users.

  3. Type StockTradeStreamUser and choose Create.

  4. Expand Show User Security Credentials and save the access and secret keys to a local file in a safe place that only you can access. For this application, create a file named ~/.aws/credentials (with strict permissions). The file should be in the following format:

    aws_access_key_id=access key
    aws_secret_access_key=secret access key

To attach an IAM policy to a user

  1. In the IAM console, open Policies and choose Policy Actions.

  2. Choose StockTradeStreamPolicy and Attach.

  3. Choose StockTradeStreamUser and Attach Policy.