amazon-web-servicesaws-cloudformationamazon-iamamazon-kinesisresource-based-authorization

How to add Resource based policy to AWS kinesis stream using Cloudformation


I want to write to Kinesis from an external AWS account and I managed to do it by adding a resource based policy to kinesis stream. Is there a way to add a resource based policy to kinesis stream using Cloudformation? I know we have AWS::Lambda::Permission for lambda resource based policy. Trying to find something similar for kinesis.

I tried the type below but it says it is invalid type.

  MyKinesisStreamPolicy:
    Type: AWS::Kinesis::StreamPolicy
    Properties:
      StreamName: !Ref StreamName
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: StreamWriteStatementID
            Effect: Allow
            Principal:
              AWS:
                - !Ref SourceAccountNumber
                - !Sub 'arn:aws:iam::${SourceAccountNumber}:role/${SourceIAMRole}'
            Action:
              - 'kinesis:DescribeStreamSummary'
              - 'kinesis:ListShards'
              - 'kinesis:PutRecord'
              - 'kinesis:PutRecords'
            Resource: !GetAtt StreamName.Arn

Solution

  • CloudFormation doesn't yet support that resource type (as of the time of this answer). See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Kinesis.html

    So if you want to create a policy for a Kinesis stream via CloudFormation you would need to make a CustomResource and do it yourself via APIs. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html for info on that process.