IAM Role Policy for Kinesis “Enhanced Fan-Out” Consumers

When switching to version 2 of the KCL Java library and using the “Enhanced Fan-Out” consumer mode, it was difficult to determine the appropriate IAM policy because the AWS documentation did not mention any differences between the old consumer and the new consumer. However, by trial and error, a policy like the one below (though with your own account id) may be reasonable. Of course, you could also split out specific actions to more specific resources, but this is a reasonable first draft.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DeleteItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-west-2:111111111111:table/my-consumer-name"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:DescribeStream",
                "kinesis:DescribeStreamConsumer",
                "kinesis:DescribeStreamSummary",
                "kinesis:GetShardIterator",
                "kinesis:GetRecords",
                "kinesis:ListShards",
                "kinesis:PutRecord",
                "kinesis:PutRecords",
                "kinesis:RegisterStreamConsumer",
                "kinesis:SubscribeToShard"
            ],
            "Resource": [
                "arn:aws:kinesis:us-west-2:111111111111:stream/my-stream-name",
                "arn:aws:kinesis:us-west-2:111111111111:stream/my-stream-name/consumer/my-consumer-name",
                "arn:aws:kinesis:us-west-2:111111111111:stream/my-stream-name/consumer/my-consumer-name:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Leave a Reply

Your email address will not be published. Required fields are marked *