@aws-cdk/aws-kinesis

Amazon Kinesis Construct Library

---

---

Amazon Kinesis provides collection and processing of large streams of data records in real time. Kinesis data streams can be used for rapid and continuous data intake and aggregation.

Table Of Contents

• Streams
  • Encryption
  • Import
  • Permission Grants
    • Read Permissions
    • Write Permissions
    • Custom Permissions

Streams

Amazon Kinesis Data Streams ingests a large amount of data in real time, durably stores the data, and makes the data available for consumption.

Using the CDK, a new Kinesis stream can be created as part of the stack using the construct's constructor. You may specify the streamName to give your own identifier to the stream. If not, CloudFormation will generate a name.

new Stream(this, "MyFirstStream", {
  streamName: "my-awesome-stream"
});

You can also specify properties such as shardCount to indicate how many shards the stream should choose and a retentionPeriod to specify how long the data in the shards should remain accessible. Read more at Creating and Managing Streams

new Stream(this, "MyFirstStream", {
  streamName: "my-awesome-stream",
  shardCount: 3,
  retentionPeriod: Duration.hours(48)
});

Encryption

Stream encryption enables server-side encryption using an AWS KMS key for a specified stream.

Encryption is enabled by default on your stream with the master key owned by Kinesis Data Streams in regions where it is supported.

new Stream(this, 'MyEncryptedStream');

You can enable encryption on your stream with a user-managed key by specifying the encryption property. A KMS key will be created for you and associated with the stream.

new Stream(this, "MyEncryptedStream", {
  encryption: StreamEncryption.KMS
});

You can also supply your own external KMS key to use for stream encryption by specifying the encryptionKey property.

import * as kms from "@aws-cdk/aws-kms";

const key = new kms.Key(this, "MyKey");

new Stream(this, "MyEncryptedStream", {
  encryption: StreamEncryption.KMS,
  encryptionKey: key
});

Import

Any Kinesis stream that has been created outside the stack can be imported into your CDK app.

Streams can be imported by their ARN via the Stream.fromStreamArn() API

const stack = new Stack(app, "MyStack");

const importedStream = Stream.fromStreamArn(
  stack,
  "ImportedStream",
  "arn:aws:kinesis:us-east-2:123456789012:stream/f3j09j2230j"
);

Encrypted Streams can also be imported by their attributes via the Stream.fromStreamAttributes() API

import { Key } from "@aws-cdk/aws-kms";

const stack = new Stack(app, "MyStack");

const importedStream = Stream.fromStreamAttributes(
  stack,
  "ImportedEncryptedStream",
  {
    streamArn: "arn:aws:kinesis:us-east-2:123456789012:stream/f3j09j2230j",
    encryptionKey: kms.Key.fromKeyArn(
      "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    )
  }
);

Permission Grants

IAM roles, users or groups which need to be able to work with Amazon Kinesis streams at runtime should be granted IAM permissions.

Any object that implements the IGrantable interface (has an associated principal) can be granted permissions by calling:

• grantRead(principal) - grants the principal read access
• grantWrite(principal) - grants the principal write permissions to a Stream
• grantReadWrite(principal) - grants principal read and write permissions

Read Permissions

Grant read access to a stream by calling the grantRead() API. If the stream has an encryption key, read permissions will also be granted to the key.

const lambdaRole = new iam.Role(this, 'Role', {
  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
  description: 'Example role...',
}

const stream = new Stream(this, 'MyEncryptedStream', {
    encryption: StreamEncryption.KMS
});

// give lambda permissions to read stream
stream.grantRead(lambdaRole);

The following read permissions are provided to a service principal by the grantRead() API:

• kinesis:DescribeStreamSummary
• kinesis:GetRecords
• kinesis:GetShardIterator
• kinesis:ListShards
• kinesis:SubscribeToShard

Write Permissions

Grant write permissions to a stream is provided by calling the grantWrite() API. If the stream has an encryption key, write permissions will also be granted to the key.

const lambdaRole = new iam.Role(this, 'Role', {
  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
  description: 'Example role...',
}

const stream = new Stream(this, 'MyEncryptedStream', {
    encryption: StreamEncryption.KMS
});

// give lambda permissions to write to stream
stream.grantWrite(lambdaRole);

The following write permissions are provided to a service principal by the grantWrite() API:

• kinesis:ListShards
• kinesis:PutRecord
• kinesis:PutRecords

Custom Permissions

You can add any set of permissions to a stream by calling the grant() API.

const user = new iam.User(stack, 'MyUser');

const stream = new Stream(stack, 'MyStream');

// give my user permissions to list shards
stream.grant(user, 'kinesis:ListShards');

Changelog

1.62.0 (2020-09-03)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• eks: when importing EKS clusters using eks.Cluster.fromClusterAttributes, the clusterArn attribute is not supported anymore, and will always be derived from clusterName.
• eks: Only a single eks.Cluster is allowed per CloudFormation stack.
• eks: The securityGroups attribute of ClusterAttributes is now securityGroupIds.
• cli: --qualifier must be alphanumeric and not longer than 10 characters when bootstrapping using newStyleStackSynthesis.

Features

• appsync: support Input Types for code-first approach (#10024) (3f80ae6)
• appsync: support query & mutation generation for code-first approach (#9992) (1ed119e), closes #9308 #9310
• aws-chatbot: Support L2 construct for SlackChannelConfiguration of chatbot. (#9702) (05f5e62), closes #9679
• bootstrap: customizable bootstrap template (#9886) (2596ef7), closes #9256 #8724 #3684 #1528 #9681
• cli: control progress output style with --progress=bar|events (#9623) (56de5e1), closes #8696
• cloudfront: import existing CloudFrontWebDistributions (#10007) (ff33b54), closes #5607
• cloudfront: support includeBody for Lambda@Edge (#10008) (9ffb268), closes #7085
• ecs: bottlerocket support (#10097) (088abec), closes #10085
• eks: kubectl layer customization (#10090) (0aa7ada), closes #7992
• eks: support adding k8s resources to imported clusters (#9802) (4439481), closes #5383
• logs: specify log group's region for LogRetention (#9804) (0ccbc5d)
• pipelines: SimpleSynthAction takes array of build commands (#10152) (44fcb4e), closes #9357
• pipelines: add control over underlying CodePipeline (#10148) (41531b5), closes #9021
• rds: add support for joining instance to domain (#9943) (f2d77d1), closes #9869
• rds: custom security groups for OptionGroups (ea1072d), closes #9240
• rds: custom security groups for OptionGroups (#10011) (5738dc1), closes #9240
• rds: performance insights for DatabaseCluster instances (#10092) (9c1b0c1), closes #7957
• rds: rename DatabaseInstanceNewProps.vpcPlacement to vpcSubnets (#10093) (ec423ef), closes #9776
• elasticloadbalancingv2: convenience method for ALB redirects (#9913) (5bed08a)

Bug Fixes

• apigateway: burst and rate limits are set to unlimited when configured to 0 (#10088) (96f1772), closes #10071
• appsync: GraphQLApi.UserPoolConfig requires DefaultAction (#10031) (6114045), closes #10028
• aws-elasticloadbalancingv2: fix load balancer deletion protection to properly update when set to false (#9986) (a65dd19)
• aws-sns: enable topic encryption with cross account keys (#10056) (327b72a), closes #10055
• aws-stepfunctions-tasks: missing permission to get build status (#10081) (cbdd084), closes #8043
• aws-stepfunctions-tasks: SageMaker create training job has incorrect property name for AttributeNames (#10026) (ba51ea3), closes #10014
• cfn-include: allow Conditions to reference Mappings in their definitions (#10105) (aa2068f), closes #10099
• cfn-include: allow parameters to be replaced across nested stacks (#9842) (9ea8d5c), closes #9838
• cli: AssumeRole profiles require a [default] profile (#10032) (95c0332), closes #9937
• cli: bootstrapping qualifier length not validated (#10121) (e069263), closes #9255
• cli: Linux browser not supported for cdk docs (#9549) (663913f), closes #2847
• cli: re-bootstrapping loses previous configuration (#10120) (4e5829a), closes #10091
• cli: unable to upgrade new style bootstrap to version (#10030) (c5bb55c), closes #10016
• cloudfront: Distribution does not add edgelambda trust policy (#10006) (9098e29), closes #9998
• custom-resources: buffers returned by AwsCustomResource are unusable (#9977) (7f351ff), closes #9969 #10017
• eks: creating a ServiceAccount in a different stack than the Cluster creates circular dependency between the two stacks (#9701) (1e96ebc), closes 40aws-cdk/aws-eks/lib/service-account.ts#L81-L95 40aws-cdk/aws-eks/lib/cluster.ts#L914-L923 40aws-cdk/aws-eks/lib/cluster.ts#L907-L909
• eks: README.md grammar (#10072) (454cdc6)
• elbv2: add protocol to AddNetworkTargetsProps (#10054) (c7c00e7), closes aws/aws-cdk#10044
• elbv2: consider default protocol when validating redirectHTTP (#10100) (9e4c6d2)
• glue: tables not including classification (#9923) (61b45f3), closes #9902
• lamba: Add Java 8 Corretto Runtime support (77f9703)
• lambda: grantInvoke fails for imported IAM identities (#9957) (d748f44), closes #9883
• lambda-nodejs: cannot stat error with jsx/tsx handler (#9958) (25cfc18)
• lambda-python: allowPublicSubnet and filesystem not supported (#10022) (745922a), closes #10018 #10027
• redshift: single-node clusters fail with node count error (#9961) (2cd3ea2), closes #9856
• route53: value is too long error for TXT records (#9984) (fd4be21), closes #8244