AWS amazondynamodb medium security documentation change
Summary
Added detailed section 'Share access with cross-account AWS Lambda functions' with step-by-step instructions for configuring cross-account access between Lambda functions and DynamoDB Streams
Security assessment
This change documents resource-based policies for cross-account access control, specifically detailing how to grant DynamoDB Stream permissions (DescribeStream, GetRecords, etc.) to external Lambda functions. It explicitly addresses security by providing guidance on least-privilege access configuration between accounts.
Diff
diff --git a/amazondynamodb/latest/developerguide/rbac-cross-account-access.md b/amazondynamodb/latest/developerguide/rbac-cross-account-access.md index bb04d7955..d33b76cf0 100644 --- a//amazondynamodb/latest/developerguide/rbac-cross-account-access.md +++ b//amazondynamodb/latest/developerguide/rbac-cross-account-access.md @@ -4,0 +5,2 @@ +Share access with cross-account AWS Lambda functions + @@ -27,0 +30,28 @@ The requests will be logged in the CloudTrail logs of both the owner and the req +## Share access with cross-account AWS Lambda functions + +**Lambda functions in account A** + + 1. Go to the [IAM console](https://console.aws.amazon.com/iam/) to create an IAM role that will be used as the [ Lambda execution role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html) for your AWS Lambda function in account A. Add the managed IAM policy `AWSLambdaDynamoDBExecutionRole` which has the required DynamoDB Streams and Lambda invocation permissions. This policy also grants access to all potential DynamoDB Streams resources you may have access to in account A. + + 2. In the [ Lambda console](https://console.aws.amazon.com/lambda/), create an AWS Lambda function to process records in a DynamoDB stream and during the setup for the execution role, choose the role you created in the previous step. + + 3. Provide the Lambda function execution role to the DynamoDB Streams' owner of account B to configure the resource-based policy for cross-account read access. + + 4. Finish setting up the Lambda function. + + + + +**DynamoDB Stream in Account B** + + 1. Get the cross-account Lambda execution role from account A that will invoke the Lambda function. + + 2. On the Amazon DynamoDB console in account B, choose the table for Lambda cross-account trigger. Under the **Exports and streams** tab, locate your DynamoDB stream ARN. Ensure that DynamoDB Stream status is On and note the full stream ARN as you will need it for the resource policy. + + 3. Under the **Permissions** tab, click the **create stream policy** button to start the visual policy editor. Click the **Add new statement** button or edit the policy if one already exists. + + 4. Create a policy that specifies the Lambda execution role in account A as the principal and grant the required DynamoDB Stream actions. Make sure to include the actions `dynamodb:DescribeStream`, `dynamodb:GetRecords`, `dynamodb:GetShardIterator`, and `dynamodb:ListShards`. For more information on example resource policies for DynamoDB Streams, see [ DynamoDB resource-based policy examples](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-examples.html). + + + +