Step 2 - Review the AWS IAM policy for the IAM role

We have pre-created the IAM role DDBReplicationRole that will be used as the AWS Lambda Execution Role. This IAM role allows provides several permissions to the AWS Lambda function we will need to replicate data.

Review the following policy which is attached to the IAM role DDBReplicationRole.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "dynamodb:DeleteItem",
                "dynamodb:PutItem"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

These are some of the permissions granted to the Lambda function in the policy:

  • The AWS Lambda service should have the ability to call DynamoDB Streams and retrieve records from the stream.
{
    "Action": [
        "dynamodb:DescribeStream",
        "dynamodb:GetRecords",
        "dynamodb:GetShardIterator",
        "dynamodb:ListStreams"
    ],
    "Resource": [
        "*"
    ],
    "Effect": "Allow"
}
  • The Lambda function can put and delete items only in the logfile_replica table.
{
    "Action": [
        "dynamodb:DeleteItem",
        "dynamodb:PutItem"
    ],
    "Resource": [
        "*"
    ],
    "Effect": "Allow"
}
  • Log events are published to Amazon CloudWatch Logs (but in this lab they are not available).
{
    "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
    ],
    "Resource": [
        "*"
    ],
    "Effect": "Allow"
}