Define AWS IAM for data streams

Define the Identity and Access Management (IAM) policy for your Amazon Web Services (AWS) account, depending on the required permissions.

The minimum IAM permissions for data streams include viewing the configuration and changing tags. The following JSON example defines the minimum permissions that you need to run cloud database service protection. You can use the sample JSON (or create your own) with the following changes:
  • For the values in the Resource parameter, change the account portion of the Amazon Resource Name (ARN) to your account.
  • For the KMS resource, change to the key that you used to create the database activity stream. If your site has multiple keys, you can set the key to the * (asterisk) wildcard.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:ListStreams",
                "cloudwatch:PutMetricData",
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:RegisterStreamConsumer",
                "kinesis:DescribeStreamConsumer",
                "kinesis:ListStreamConsumers",
                "kinesis:DescribeStreamSummary",
                "kinesis:DescribeStream",
                "kinesis:GetShardIterator",
                "kinesis:GetRecords",
                "kinesis:ListShards",
                "kinesis:SubscribeToShard"
            ],
            "Resource": "arn:aws:kinesis:*:<AWS_ACCOUNT_ID>:stream/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": "arn:aws:dynamodb:*:<AWS_ACCOUNT_ID>:table/*"
        }
    ]
}