Permission management system providing granular access control for Kinesis streams with automatic KMS key permissions when encryption is enabled.
Grant read access to Kinesis streams including necessary KMS decrypt permissions for encrypted streams.
/**
* Grant read permissions for this stream and its contents to an IAM principal
* If an encryption key is used, permission to use the key to decrypt will also be granted
* @param grantee - IAM principal (Role/Group/User) to grant permissions to
* @returns Grant object containing the granted permissions
*/
grantRead(grantee: iam.IGrantable): iam.Grant;Read Operations Granted:
kinesis:DescribeStreamSummary - Get stream summary informationkinesis:GetRecords - Retrieve records from streamkinesis:GetShardIterator - Get shard iterator for readingkinesis:ListShards - List stream shardskinesis:SubscribeToShard - Subscribe to shard for enhanced fan-outkinesis:DescribeStream - Get detailed stream informationkinesis:ListStreams - List streams (if needed)Usage Examples:
import * as kinesis from '@aws-cdk/aws-kinesis';
import * as iam from '@aws-cdk/aws-iam';
const stream = new kinesis.Stream(this, 'MyStream', {
encryption: kinesis.StreamEncryption.KMS
});
// Grant read permissions to a Lambda execution role
const lambdaRole = new iam.Role(this, 'LambdaRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
description: 'Role for Lambda to read from Kinesis stream'
});
stream.grantRead(lambdaRole);
// Grant read permissions to a user
const dataAnalyst = new iam.User(this, 'DataAnalyst');
stream.grantRead(dataAnalyst);
// Grant read permissions to an existing role by ARN
const existingRole = iam.Role.fromRoleArn(
this,
'ExistingRole',
'arn:aws:iam::123456789012:role/MyExistingRole'
);
stream.grantRead(existingRole);Grant write access to Kinesis streams including necessary KMS encrypt permissions for encrypted streams.
/**
* Grant write permissions for this stream and its contents to an IAM principal
* If an encryption key is used, permission to use the key to encrypt will also be granted
* @param grantee - IAM principal (Role/Group/User) to grant permissions to
* @returns Grant object containing the granted permissions
*/
grantWrite(grantee: iam.IGrantable): iam.Grant;Write Operations Granted:
kinesis:ListShards - List stream shards (required for writing)kinesis:PutRecord - Put single record to streamkinesis:PutRecords - Put multiple records to streamUsage Examples:
const stream = new kinesis.Stream(this, 'MyStream', {
encryption: kinesis.StreamEncryption.KMS
});
// Grant write permissions to an application role
const applicationRole = new iam.Role(this, 'ApplicationRole', {
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
description: 'Role for application to write to Kinesis stream'
});
stream.grantWrite(applicationRole);
// Grant write permissions to a Kinesis Analytics application
const analyticsRole = new iam.Role(this, 'AnalyticsRole', {
assumedBy: new iam.ServicePrincipal('kinesisanalytics.amazonaws.com')
});
stream.grantWrite(analyticsRole);Grant both read and write access to Kinesis streams with comprehensive KMS permissions for encrypted streams.
/**
* Grant read/write permissions for this stream and its contents to an IAM principal
* If an encryption key is used, permission to use the key for encrypt/decrypt will also be granted
* @param grantee - IAM principal (Role/Group/User) to grant permissions to
* @returns Grant object containing the granted permissions
*/
grantReadWrite(grantee: iam.IGrantable): iam.Grant;Usage Examples:
const stream = new kinesis.Stream(this, 'MyStream', {
encryption: kinesis.StreamEncryption.KMS
});
// Grant full access to an admin role
const adminRole = new iam.Role(this, 'AdminRole', {
assumedBy: new iam.AccountPrincipal('123456789012')
});
stream.grantReadWrite(adminRole);
// Grant full access to a data processing pipeline role
const pipelineRole = new iam.Role(this, 'PipelineRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
description: 'Role for data pipeline with full stream access'
});
stream.grantReadWrite(pipelineRole);Grant specific custom permissions on Kinesis streams for fine-grained access control.
/**
* Grant the indicated permissions on this stream to the provided IAM principal
* @param grantee - IAM principal (Role/Group/User) to grant permissions to
* @param actions - Specific Kinesis actions to grant
* @returns Grant object containing the granted permissions
*/
grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;Usage Examples:
const stream = new kinesis.Stream(this, 'MyStream');
// Grant only shard listing permission
const monitoringRole = new iam.Role(this, 'MonitoringRole', {
assumedBy: new iam.ServicePrincipal('cloudwatch.amazonaws.com')
});
stream.grant(monitoringRole, 'kinesis:ListShards');
// Grant multiple specific permissions
const customRole = new iam.Role(this, 'CustomRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
stream.grant(
customRole,
'kinesis:DescribeStream',
'kinesis:DescribeStreamSummary',
'kinesis:ListShards'
);
// Grant administrative permissions
const streamAdminRole = new iam.Role(this, 'StreamAdminRole', {
assumedBy: new iam.UserPrincipal('arn:aws:iam::123456789012:user/admin')
});
stream.grant(
streamAdminRole,
'kinesis:DescribeStream',
'kinesis:ListShards',
'kinesis:SplitShard',
'kinesis:MergeShards',
'kinesis:UpdateShardCount'
);When streams are encrypted, permissions are automatically granted to the associated KMS key.
Automatic KMS Permissions:
// For read access (grantRead)
// - kms:Decrypt permission on the encryption key
// For write access (grantWrite)
// - kms:Encrypt permission on the encryption key
// - kms:GenerateDataKey permission on the encryption key
// For read/write access (grantReadWrite)
// - kms:Decrypt permission on the encryption key
// - kms:Encrypt permission on the encryption key
// - kms:GenerateDataKey permission on the encryption keyUsage Examples:
const customKey = new kms.Key(this, 'StreamKey', {
description: 'Key for Kinesis stream encryption'
});
const encryptedStream = new kinesis.Stream(this, 'EncryptedStream', {
encryption: kinesis.StreamEncryption.KMS,
encryptionKey: customKey
});
const consumerRole = new iam.Role(this, 'ConsumerRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
// This automatically grants both Kinesis read permissions AND KMS decrypt permissions
encryptedStream.grantRead(consumerRole);
const producerRole = new iam.Role(this, 'ProducerRole', {
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
});
// This automatically grants Kinesis write permissions AND KMS encrypt/GenerateDataKey permissions
encryptedStream.grantWrite(producerRole);Grant permissions to principals in different AWS accounts.
const stream = new kinesis.Stream(this, 'SharedStream');
// Grant access to a role in another account
const crossAccountRole = iam.Role.fromRoleArn(
this,
'CrossAccountRole',
'arn:aws:iam::999999999999:role/DataConsumerRole'
);
stream.grantRead(crossAccountRole);
// Grant access to an entire account
const accountPrincipal = new iam.AccountPrincipal('999999999999');
stream.grant(accountPrincipal, 'kinesis:GetRecords', 'kinesis:GetShardIterator');Common patterns for AWS service integration with Kinesis streams.
const stream = new kinesis.Stream(this, 'IntegrationStream');
// Lambda function consumer
const consumerFunction = new lambda.Function(this, 'Consumer', {
// ... function configuration
});
stream.grantRead(consumerFunction);
// Kinesis Analytics application
const analyticsApp = new kinesisanalytics.Application(this, 'Analytics', {
// ... application configuration
});
stream.grantRead(analyticsApp);
// Kinesis Firehose delivery stream
const deliveryStream = new firehose.DeliveryStream(this, 'Delivery', {
// ... delivery stream configuration
});
stream.grantRead(deliveryStream);Add conditions to permissions for enhanced security.
const stream = new kinesis.Stream(this, 'ConditionalStream');
const role = new iam.Role(this, 'ConditionalRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
// Create custom policy with conditions
const conditionalPolicy = new iam.PolicyStatement({
actions: ['kinesis:PutRecord', 'kinesis:PutRecords'],
resources: [stream.streamArn],
conditions: {
StringEquals: {
'kinesis:partition-key': ['allowed-partition-key']
},
IpAddress: {
'aws:SourceIp': ['203.0.113.0/24']
}
}
});
role.addToPolicy(conditionalPolicy);