Creating a cross account DynamoDB zero-ETL integration with Amazon Redshift

Replace the following placeholders:

DYNAMODB_ACCOUNT_ID: The AWS account ID where DynamoDB table is hosted

REDSHIFT_ACCOUNT_ID: The AWS account ID where Redshift instance is hosted

TABLE_NAME: The name of your DynamoDB table

REGION: The aws region name of your DynamoDB table

Prerequisites:

• A table is created under aws account DYNAMODB_ACCOUNT_ID
• A Redshift serverless namespace or provisioned cluster is created under aws account REDSHIFT_ACCOUNT_ID
• The DynamoDB table and Amazon Redshift cluster need to be in the same Region.
• The source DynamoDB table must be encrypted with either an Amazon-owned or Customer-managed AWS KMS key. Amazon managed encryption is not supported for the source DynamoDB table.

Create cross account DynamoDB zero-ETL integration with Amazon Redshift with DynamoDB table

1. Ensure point-in-time recovery (PITR) on your source DynamoDB table TABLE_NAME under account DYNAMODB_ACCOUNT_ID is enabled.

2. In the Amazon Redshift console under REDSHIFT_ACCOUNT_ID, go to serverless or provisioned clusters dashboard.

3. Choose the serverless namespace or provisioned cluster, and go to the Resource Policy tab. Choose Add authorized principals, enter ARN below into the namespace and click Save changes. arn:aws:iam::DYNAMODB_ACCOUNT_ID:root

4. Choose Add authorized integration sources and specify the ARN of the source that's the data source for the zero-ETL integration. arn:aws:dynamodb:REGION:DYNAMODB_ACCOUNT_ID:table/TABLE_NAME

5. In the Amazon Redshift console under aws account DYNAMODB_ACCOUNT_ID , choose Zero-ETL integrations in the navigation pane.

6. Choose Create DynamoDB integration. Enter a name for Integration name and choose Next.

7. Choose Browse DynamoDB tables and choose the table that will be the source for this integration and choose Next. You can use the Fix it for me option during the create integration step to automatically apply the required resource policies to both DynamoDB and Amazon Redshift

8. Choose your target Redshift data warehouse. When the target resides in a different account, you can provide the Amazon Resource Name (ARN) of the target Redshift cluster as below. Click Next to proceed.

9. If your table is encrypted with customer managed key, please follow steps below or skip this step otherwise. Click Next to proceed.

   a. Choose the table’s encryption key.

   b. Add following key policy into your CMK key under KMS console. (Remember to replace DYNAMODB_ACCOUNT_ID and REGION variables with appropriate values in your policy)

   {
       "Sid": "Statement to allow Amazon Redshift service to perform Decrypt operation on the source DynamoDB Table",
       "Effect": "Allow",
       "Principal": {
           "Service": [
               "redshift.amazonaws.com"
           ]
       },
       "Action": "kms:*",
       "Resource": "*",
       "Condition": {
           "StringEquals": {
               "aws:SourceAccount": "<DYNAMODB_ACCOUNT_ID>"
           },
           "ArnEquals": {
               "aws:SourceArn": "arn:aws:redshift:<REGION>:<DYNAMODB_ACCOUNT_ID>:integration:*"
           }
       }
   }
   

   

10. Click on “Create DynamoDB integration” to create zero-ETL integration.

11. In the Amazon Redshift console under aws account REDSHIFT_ACCOUNT_ID, choose Zero-ETL integrations in the navigation pane. Verify the DynamoDB zero-ETL integration with Amazon Redshift under “From other accounts” tab as shown in the following screenshot.