AWS enable access to kinesis stream for different account

Question

I have one kinesis stream created in my account, I need to provide access to another user who is there in another root account.

1. I did not find any way to add a policy for the stream, so How to provide access to another user in a different account?

2. How the user is another account can access the Kinesis stream?

Answer 1

You need to create appropriate IAM policy (such as AWSLambdaKinesisExecutionRole tailored to specific stream that you want to share).

Create IAM role of type Another AWS Account where you need to specify account ID of the account with which you want to share your stream, and attach the above mentioned IAM policy to that role.

Go to the other account and create new IAM policy such as this.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::THE-SOURCE-ACCOUNT:role/UpdateApp"
  }
}

Where resource is the ARN of the role created in the source account. ( THE-SOURCE-ACCOUNT is that account's ID). Attach this policy to the user that needs that cross-account access to Kinesis stream. Now that user should have access to the stream if they assume the new role.