AWS Encryption SDK
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

local cache Example AWS CloudFormation Template

This AWS CloudFormation template sets up all the necessary AWS resources to replicate this example.

Parameters: SourceCodeBucket: Type: String Description: S3 bucket containing Lambda source code zip files PythonLambdaS3Key: Type: String Description: S3 key containing Python Lambda source code zip file PythonLambdaObjectVersionId: Type: String Description: S3 version id for S3 key containing Python Lambda source code zip file JavaLambdaS3Key: Type: String Description: S3 key containing Python Lambda source code zip file JavaLambdaObjectVersionId: Type: String Description: S3 version id for S3 key containing Python Lambda source code zip file KeyAliasSuffix: Type: String Description: 'Suffix to use for KMS CMK Alias (ie: alias/<KeyAliasSuffix>)' StreamName: Type: String Description: Name to use for Kinesis Stream Resources: InputStream: Type: AWS::Kinesis::Stream Properties: Name: !Ref StreamName ShardCount: 2 PythonLambdaOutputTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: id AttributeType: S KeySchema: - AttributeName: id KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: 1 WriteCapacityUnits: 1 PythonLambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: PythonLambdaAccess PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - dynamodb:DescribeTable - dynamodb:BatchWriteItem Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${PythonLambdaOutputTable} - Effect: Allow Action: - dynamodb:PutItem Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${PythonLambdaOutputTable}* - Effect: Allow Action: - kinesis:GetRecords - kinesis:GetShardIterator - kinesis:DescribeStream - kinesis:ListStreams Resource: !Sub arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${InputStream} PythonLambdaFunction: Type: AWS::Lambda::Function Properties: Description: Python consumer Runtime: python2.7 MemorySize: 512 Timeout: 90 Role: !GetAtt PythonLambdaRole.Arn Handler: aws_crypto_examples.kinesis_datakey_caching.consumer.lambda_handler Code: S3Bucket: !Ref SourceCodeBucket S3Key: !Ref PythonLambdaS3Key S3ObjectVersion: !Ref PythonLambdaObjectVersionId Environment: Variables: TABLE_NAME: !Ref PythonLambdaOutputTable PythonLambdaSourceMapping: Type: AWS::Lambda::EventSourceMapping Properties: BatchSize: 1 Enabled: true EventSourceArn: !Sub arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${InputStream} FunctionName: !Ref PythonLambdaFunction StartingPosition: TRIM_HORIZON JavaLambdaOutputTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: id AttributeType: S KeySchema: - AttributeName: id KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: 1 WriteCapacityUnits: 1 JavaLambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: JavaLambdaAccess PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - dynamodb:DescribeTable - dynamodb:BatchWriteItem Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${JavaLambdaOutputTable} - Effect: Allow Action: - dynamodb:PutItem Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${JavaLambdaOutputTable}* - Effect: Allow Action: - kinesis:GetRecords - kinesis:GetShardIterator - kinesis:DescribeStream - kinesis:ListStreams Resource: !Sub arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${InputStream} JavaLambdaFunction: Type: AWS::Lambda::Function Properties: Description: Java consumer Runtime: java8 MemorySize: 512 Timeout: 90 Role: !GetAtt JavaLambdaRole.Arn Handler: com.amazonaws.crypto.examples.kinesisdatakeycaching.LambdaDecryptAndWrite::handleRequest Code: S3Bucket: !Ref SourceCodeBucket S3Key: !Ref JavaLambdaS3Key S3ObjectVersion: !Ref JavaLambdaObjectVersionId Environment: Variables: TABLE_NAME: !Ref JavaLambdaOutputTable CMK_ARN: !GetAtt RegionKinesisCMK.Arn JavaLambdaSourceMapping: Type: AWS::Lambda::EventSourceMapping Properties: BatchSize: 1 Enabled: true EventSourceArn: !Sub arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${InputStream} FunctionName: !Ref JavaLambdaFunction StartingPosition: TRIM_HORIZON RegionKinesisCMK: Type: AWS::KMS::Key Properties: Description: Used to encrypt data passing through Kinesis Stream in this region Enabled: true KeyPolicy: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: # Data plane actions - kms:Encrypt - kms:GenerateDataKey # Control plane actions - kms:CreateAlias - kms:DeleteAlias - kms:DescribeKey - kms:DisableKey - kms:EnableKey - kms:PutKeyPolicy - kms:ScheduleKeyDeletion - kms:UpdateAlias - kms:UpdateKeyDescription Resource: '*' - Effect: Allow Principal: AWS: - !GetAtt PythonLambdaRole.Arn - !GetAtt JavaLambdaRole.Arn Action: kms:Decrypt Resource: '*' RegionKinesisCMKAlias: Type: AWS::KMS::Alias Properties: AliasName: !Sub alias/${KeyAliasSuffix} TargetKeyId: !Ref RegionKinesisCMK