Can a specific partition key be enforced for the Kinesis PutRecord action, via IAM policy or other means?

Hello,

I understand that you have a query regarding enforcing a specific partition key for the Kinesis PutRecord API.

• Firstly I would like to mention that currently the IAM action - PutRecord doesn't support any condition keys. Also, it only support resource restriction in terms of stream type -> arn:${Partition}:kinesis:${Region}:${Account}:stream/${StreamName}

• Secondly, please note that partition key is a mandatory parameter when using PutRecord/PutRecords API call [1].

 PartitionKey

    Determines which shard in the stream the data record is assigned to. Partition keys are Unicode strings with a maximum length limit of 256 characters for each key. Amazon Kinesis Data Streams uses the partition key as input to a hash function that maps the partition key and associated data to a specific shard. Specifically, an MD5 hash function is used to map partition keys to 128-bit integer values and to map associated data records to shards. As a result of this hashing mechanism, all data records with the same partition key map to the same shard within the stream.

    Type: String

    Length Constraints: Minimum length of 1. Maximum length of 256.

    Required: Yes

• As there is currently no way to restrict it from API's end using condition keys, you will have to create a custom implementation in your own application code to enforce the usage of a specific/single partition key restriction when calling the PutRecord API, however please note that the records will always land to a single shard in such a use case.

• Finally, I also wanted to mention that the best practice provided by service team in regards to the partition key, is to use random partition keys such as uuid.

References:

[1] https://docs.aws.amazon.com/kinesis/latest/APIReference/API_PutRecord.html