Cross-account integration considerations with CMK - Amazon DynamoDB
Required Amazon KMS policies and permissionsImportant considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cross-account integration considerations with CMK

When you attempt to integrate from DynamoDB to Amazon Redshift, the initial action is launched from Amazon Redshift. Without the proper permissions, this action could result in a silent failure. The following sections detail the permissions required for this cross-account integration.

Required Amazon KMS policies and permissions

Replace the following placeholders in the examples:

  • REDSHIFT_ACCOUNT_ID: The Amazon Web Services account ID where Amazon Redshift is hosted

  • DYNAMODB_ACCOUNT_ID: The Amazon Web Services account ID where DynamoDB is hosted

  • REDSHIFT_ROLE_NAME: The IAM role name used by Amazon Redshift

  • REGION: The Amazon Web Services Region where your resources are located

  • TABLE_NAME: The name of your DynamoDB table

  • KMS_KEY_ID: The ID of your KMS key

KMS key policy in the DynamoDB account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::DYNAMODB_ACCOUNT_ID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow Redshift to use the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::REDSHIFT_ACCOUNT_ID:role/REDSHIFT_ROLE_NAME"
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*"
        }
    ]
}

IAM Policy for the Amazon Redshift role (in Amazon Redshift account)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDynamoDBAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:ParitalBatchGetItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:BatchGetItem",
                "dynamodb:GetItem",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:DescribeStream",
                "dynamodb:ListStreams"
            ],
            "Resource": [
                "arn:aws:dynamodb:REGION:DYNAMODB_ACCOUNT_ID:table/TABLE_NAME",
                "arn:aws:dynamodb:REGION:DYNAMODB_ACCOUNT_ID:table/TABLE_NAME/stream/*"
            ]
        },
        {
            "Sid": "AllowKMSAccess",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "arn:aws:kms:REGION:DYNAMODB_ACCOUNT_ID:key/KMS_KEY_ID"
        }
    ]
}

Trust relationship for the Amazon Redshift role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "redshift.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

DynamoDB Table policy (if using resource-based policies)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRedshiftAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::REDSHIFT_ACCOUNT_ID:role/REDSHIFT_ROLE_NAME"
            },
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:ParitalBatchGetItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:BatchGetItem",
                "dynamodb:GetItem",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:DescribeStream",
                "dynamodb:ListStreams"
            ],
            "Resource": [
                "arn:aws:dynamodb:REGION:DYNAMODB_ACCOUNT_ID:table/TABLE_NAME",
                "arn:aws:dynamodb:REGION:DYNAMODB_ACCOUNT_ID:table/TABLE_NAME/stream/*"
            ]
        }
    ]
}

Important considerations

  1. Ensure the KMS key is in the same region as your DynamoDB table.

  2. The KMS key must be a customer managed key (CMK), not an Amazon managed key.

  3. If you're using DynamoDB global tables, configure permissions for all relevant regions.

  4. Consider adding condition statements to restrict access based on VPC endpoints or IP ranges.

  5. For enhanced security, consider using aws:PrincipalOrgID condition to restrict access to your organization.

  6. Monitor KMS key usage through CloudTrail and CloudWatch metrics.