UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

189 lines (134 loc) 6.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# Amazon Kinesis Construct Library [Amazon Kinesis](https://docs.aws.amazon.com/streams/latest/dev/introduction.html) provides collection and processing of large [streams](https://aws.amazon.com/streaming-data/) of data records in real time. Kinesis data streams can be used for rapid and continuous data intake and aggregation. ## Table Of Contents - [Streams](#streams) - [Encryption](#encryption) - [Import](#import) - [Permission Grants](#permission-grants) - [Read Permissions](#read-permissions) - [Write Permissions](#write-permissions) - [Custom Permissions](#custom-permissions) - [Metrics](#metrics) ## Streams Amazon Kinesis Data Streams ingests a large amount of data in real time, durably stores the data, and makes the data available for consumption. Using the CDK, a new Kinesis stream can be created as part of the stack using the construct's constructor. You may specify the `streamName` to give your own identifier to the stream. If not, CloudFormation will generate a name. ```ts new kinesis.Stream(this, 'MyFirstStream', { streamName: 'my-awesome-stream', }); ``` You can also specify properties such as `shardCount` to indicate how many shards the stream should choose and a `retentionPeriod` to specify how long the data in the shards should remain accessible. Read more at [Creating and Managing Streams](https://docs.aws.amazon.com/streams/latest/dev/working-with-streams.html) ```ts new kinesis.Stream(this, 'MyFirstStream', { streamName: 'my-awesome-stream', shardCount: 3, retentionPeriod: Duration.hours(48), }); ``` ### Encryption [Stream encryption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html) enables server-side encryption using an AWS KMS key for a specified stream. Encryption is enabled by default on your stream with the master key owned by Kinesis Data Streams in regions where it is supported. ```ts new kinesis.Stream(this, 'MyEncryptedStream'); ``` You can enable encryption on your stream with a user-managed key by specifying the `encryption` property. A KMS key will be created for you and associated with the stream. ```ts new kinesis.Stream(this, 'MyEncryptedStream', { encryption: kinesis.StreamEncryption.KMS, }); ``` You can also supply your own external KMS key to use for stream encryption by specifying the `encryptionKey` property. ```ts const key = new kms.Key(this, 'MyKey'); new kinesis.Stream(this, 'MyEncryptedStream', { encryption: kinesis.StreamEncryption.KMS, encryptionKey: key, }); ``` ### Import Any Kinesis stream that has been created outside the stack can be imported into your CDK app. Streams can be imported by their ARN via the `Stream.fromStreamArn()` API ```ts const importedStream = kinesis.Stream.fromStreamArn(this, 'ImportedStream', 'arn:aws:kinesis:us-east-2:123456789012:stream/f3j09j2230j', ); ``` Encrypted Streams can also be imported by their attributes via the `Stream.fromStreamAttributes()` API ```ts const importedStream = kinesis.Stream.fromStreamAttributes(this, 'ImportedEncryptedStream', { streamArn: 'arn:aws:kinesis:us-east-2:123456789012:stream/f3j09j2230j', encryptionKey: kms.Key.fromKeyArn(this, 'key', 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012', ), }); ``` ### Permission Grants IAM roles, users or groups which need to be able to work with Amazon Kinesis streams at runtime should be granted IAM permissions. Any object that implements the `IGrantable` interface (has an associated principal) can be granted permissions by calling: - `grantRead(principal)` - grants the principal read access - `grantWrite(principal)` - grants the principal write permissions to a Stream - `grantReadWrite(principal)` - grants principal read and write permissions #### Read Permissions Grant `read` access to a stream by calling the `grantRead()` API. If the stream has an encryption key, read permissions will also be granted to the key. ```ts const lambdaRole = new iam.Role(this, 'Role', { assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), description: 'Example role...', }); const stream = new kinesis.Stream(this, 'MyEncryptedStream', { encryption: kinesis.StreamEncryption.KMS, }); // give lambda permissions to read stream stream.grantRead(lambdaRole); ``` The following read permissions are provided to a service principal by the `grantRead()` API: - `kinesis:DescribeStreamSummary` - `kinesis:GetRecords` - `kinesis:GetShardIterator` - `kinesis:ListShards` - `kinesis:SubscribeToShard` #### Write Permissions Grant `write` permissions to a stream is provided by calling the `grantWrite()` API. If the stream has an encryption key, write permissions will also be granted to the key. ```ts const lambdaRole = new iam.Role(this, 'Role', { assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), description: 'Example role...', }); const stream = new kinesis.Stream(this, 'MyEncryptedStream', { encryption: kinesis.StreamEncryption.KMS, }); // give lambda permissions to write to stream stream.grantWrite(lambdaRole); ``` The following write permissions are provided to a service principal by the `grantWrite()` API: - `kinesis:ListShards` - `kinesis:PutRecord` - `kinesis:PutRecords` #### Custom Permissions You can add any set of permissions to a stream by calling the `grant()` API. ```ts const user = new iam.User(this, 'MyUser'); const stream = new kinesis.Stream(this, 'MyStream'); // give my user permissions to list shards stream.grant(user, 'kinesis:ListShards'); ``` ### Metrics You can use common metrics from your stream to create alarms and/or dashboards. The `stream.metric('MetricName')` method creates a metric with the stream namespace and dimension. You can also use pre-define methods like `stream.metricGetRecordsSuccess()`. To find out more about Kinesis metrics check [Monitoring the Amazon Kinesis Data Streams Service with Amazon CloudWatch](https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-cloudwatch.html). ```ts const stream = new kinesis.Stream(this, 'MyStream'); // Using base metric method passing the metric name stream.metric('GetRecords.Success'); // using pre-defined metric method stream.metricGetRecordsSuccess(); // using pre-defined and overriding the statistic stream.metricGetRecordsSuccess({ statistic: 'Maximum' }); ```