It is possible to Access AWS DynamoDB streams accross accounts?

Question

My company manages AWS using a multi-account system. I have a lambda function in account A and a DynamoDB table with a Stream enabled in account B. I want the stream events to trigger my function.

When I run:

aws lambda create-event-source-mapping --event-source-arn arn:aws:dynamodb:us-east-1:101010101:table/table/stream/2016-08-09T23:00:46.852 --function-name Lambda-qa --enabled --batch-size 10 --starting-position TRIM_HORIZON

I get the following error: An error occurred (InvalidParameterValueException) when calling the CreateEventSourceMapping operation: Role and event source must be in the same account as the cloud function

Looks like the Lambda function and DynamoDB stream have to be in the same account. But can read the the DynamoDB stream in accountA from accountB through some other means? A redirection, SNS, SQS, S3 or a custom app.

Answer 1

Unfortunately, no.

From AWS docs:

"Important

You must create a DynamoDB table in the same region where you created the Lambda function. This tutorial assumes the US East (N. Virginia) region. In addition, both the table and the Lambda functions must belong to the same AWS account."

(emphasis added)

Reference: http://docs.aws.amazon.com/lambda/latest/dg/with-ddb-configure-ddb.html

Answer 2

Since DynamoDB is using Kinesis in the backend for its streams, you can't create a cross-account event source mapping between DynamoDB table and lambda.

This is documented in the following blog post from AWS:

How do I invoke my Lambda function using a cross-account Kinesis stream?

Lambda doesn't currently support cross-account triggers from Kinesis or any stream-based sources.

The blog post also provides a workaround:

As a workaround, you can use a "poller" Lambda function in the same account as the Kinesis stream (account A) to invoke a "processor" Lambda function in the other account (account B).