Sharing access using resource-based policies - Amazon Kinesis Data Streams

Sharing access using resource-based policies

Note

Updating an existing resource-based policy means replacing the existing one, so make sure to include all the necessary information in your new policy.

Sharing access with cross-account AWS Lambda functions

Lambda operator
  1. Go to the IAM console to create an IAM role that will be used as the Lambda execution role for your AWS Lambda function. Add the managed IAM policy AWSLambdaKinesisExecutionRole which has the required Kinesis Data Streams and Lambda invocation permissions. This policy also grants access to all potential Kinesis Data Streams resources you may have access to.

  2. In the AWS Lambda console, create an AWS Lambda function to process records in an Kinesis Data Streams data stream and during the setup for the execution role, choose the role you created in the previous step.

  3. Provide the execution role to the Kinesis Data Streams resource owner for configuring the resource policy.

  4. Finish setting up the Lambda function.

Kinesis Data Streams resource owner
  1. Get the cross-account Lambda execution role that will invoke the Lambda function.

  2. On the Amazon Kinesis Data Streams console, choose the data stream. Choose the Data stream sharing tab and then the Create sharing policy button to start the visual policy editor. To share a registered consumer within a data stream, choose the consumer and then choose Create sharing policy. You can also write the JSON policy directly.

  3. Specify the cross-account Lambda execution role as the principal and the exact Kinesis Data Streams actions you are sharing access to. Make sure to include the action kinesis:DescribeStream. For more information on example resource policies for Kinesis Data Streams, see Example resource-based policies for Kinesis Data Streams.

  4. Choose Create policy or use the PutResourcePolicy to attach the policy to your resource.

Sharing access with cross account KCL consumers

  • If you are using KCL 1.x, ensure you are using KCL 1.15.0 or higher.

  • If you are using KCL 2.x, ensure you are using KCL 2.5.3 or higher.

KCL operator
  1. Provide your IAM user or IAM role that will run the KCL application to the resource owner.

  2. Ask the resource owner for the data stream or consumer ARN.

  3. Ensure that you specify the provided stream ARN as a part of your KCL configuration.

    • For KCL 1.x: use the KinesisClientLibConfiguration constructor and provide the stream ARN.

    • For KCL 2.x: You can provide just the stream ARN or StreamTracker to the Kinesis Client Library ConfigsBuilder. For StreamTracker, provide the stream ARN and creation Epoch from the DynamoDB Lease Table that is generated by the library. If you want to read from a shared registered consumer like Enhanced Fan-Out, use StreamTracker and also provide the consumer ARN.

Kinesis Data Streams resource owner
  1. Get the cross-account IAM user or IAM role that will run the KCL application.

  2. On the Amazon Kinesis Data Streams console, choose the data stream. Choose the Data stream sharing tab and then the Create sharing policy button to start the visual policy editor. To share a registered consumer within a data stream, choose the consumer and then choose Create sharing policy. You can also write the JSON policy directly.

  3. Specify the cross-account KCL application's IAM user or IAM role as the principal and the exact Kinesis Data Streams actions you are sharing access to. For more information on example resource policies for Kinesis Data Streams, see Example resource-based policies for Kinesis Data Streams.

  4. Choose Create policy or use the PutResourcePolicy to attach the policy to your resource.

Sharing access to encrypted data

If you have enabled server-side encryption for a data stream with AWS managed KMS key and want to share access via a resource policy, you must switch to using customer-managed key (CMK). For more information, see What Is Server-Side Encryption for Kinesis Data Streams?. In addition, you must allow your sharing principal entities to have access to your CMK, using KMS cross account sharing capabilities. Make sure to also make the change in the IAM policies for the sharing principal entities. For more information, see Allowing users in other accounts to use a KMS key.