I want to write to Kinesis from an external AWS account and I managed to do it by adding a resource based policy to kinesis stream. Is there a way to add a resource based policy to kinesis stream using Cloudformation? I know we have AWS::Lambda::Permission
for lambda resource based policy. Trying to find something similar for kinesis.
I tried the type below but it says it is invalid type.
MyKinesisStreamPolicy:
Type: AWS::Kinesis::StreamPolicy
Properties:
StreamName: !Ref StreamName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: StreamWriteStatementID
Effect: Allow
Principal:
AWS:
- !Ref SourceAccountNumber
- !Sub 'arn:aws:iam::${SourceAccountNumber}:role/${SourceIAMRole}'
Action:
- 'kinesis:DescribeStreamSummary'
- 'kinesis:ListShards'
- 'kinesis:PutRecord'
- 'kinesis:PutRecords'
Resource: !GetAtt StreamName.Arn
CloudFormation doesn't yet support that resource type (as of the time of this answer). See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Kinesis.html
So if you want to create a policy for a Kinesis stream via CloudFormation you would need to make a CustomResource and do it yourself via APIs. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html for info on that process.