Step 1: Create an IAM service role for DAX to access DynamoDB using the Amazon CLI - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 1: Create an IAM service role for DAX to access DynamoDB using the Amazon CLI

Before you can create an Amazon DynamoDB Accelerator (DAX) cluster, you must create a service role for it. A service role is an Amazon Identity and Access Management (IAM) role that authorizes an Amazon service to act on your behalf. The service role allows DAX to access your DynamoDB tables as if you were accessing those tables yourself.

In this step, you create an IAM policy and then attach that policy to an IAM role. This enables you to assign the role to a DAX cluster so that it can perform DynamoDB operations on your behalf.

To create an IAM service role for DAX

  1. Create a file named service-trust-relationship.json with the following contents.

    {
    "Version": "2012-10-17",
    "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
                "Service": "dax.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

  2. Create the service role.

    aws iam create-role \
    --role-name DAXServiceRoleForDynamoDBAccess \
    --assume-role-policy-document file://service-trust-relationship.json

  3. Create a file named service-role-policy.json with the following contents.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:PutItem",
                "dynamodb:GetItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:ConditionCheckItem"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:us-west-2:accountID:*"
            ]
        }
    ]
}

    Replace accountID with your Amazon account ID. To find your Amazon account ID, in the upper-right corner of the console, choose your login ID. Your Amazon account ID appears in the drop-down menu.

    In the Amazon Resource Name (ARN) in the example, accountID must be a 12-digit number. Don't use hyphens or any other punctuation.

  4. Create an IAM policy for the service role.

    aws iam create-policy \
    --policy-name DAXServicePolicyForDynamoDBAccess \
    --policy-document file://service-role-policy.json

    In the output, note the ARN for the policy that you created, as in the following example.

    arn:aws:iam::123456789012:policy/DAXServicePolicyForDynamoDBAccess

  5. Attach the policy to the service role. Replace arn in the following code with the actual role ARN from the previous step.

    aws iam attach-role-policy \
    --role-name DAXServiceRoleForDynamoDBAccess \
    --policy-arn arn

Next, you specify a subnet group for your default VPC. A subnet group is a collection of one or more subnets within your VPC. See Step 2: Create a subnet group.